Introduction to Docker 
Version: d7590d1 


docker 


An Open Platform to Build, Ship, and Run Distributed Applications 
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Logistics 
+ Updated copy of the slides: http://container.training/ 


e Note: the PDF version has extra slides 


+ You should have a little piece of paper, 
with your training VM IP address + credentials 


+ Can't find the paper? Raise your hand and ask for one! 


e Backchannel: 


container.training/chat 


- students: feel free to ask questions there 
- TAs: join the channel to answer questions 
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Part 1 


- About Docker 

e Your training Virtual Machine 

- Install Docker 

e Our First Containers 

+ Background Containers 

- Restarting and Attaching to Containers 
+ Understanding Docker Images 

- Building Docker images 

. Advanced Dockerfiles 


e A quick word about the Docker Hub 
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Part 2 


e Naming and inspecting containers 

e Introduction to Container Networking 

+ Container Network Model 

+ (Connecting Containers with Links) 

e (Ambassadors) 

+ Local Development Workflow with Docker 
e Working with Volumes 


+ Compose For Development Stacks 
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About Docker 


About Docker 
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About Docker 


Lesson 1: Docker 30,00 Oft overview 
Objectives 
In this lesson, we will learn about: 
Why containers (non-technical elevator pitch) 
Why containers (technical elevator pitch) 
How Docker helps us to build, ship, and run 
The history of containers 
We won't actually run Docker or containers in this chapter (yetl). 


Don't worry, we will get to that fast enough! 
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About Docker 


Elevator pitch 


(for your manager, boss...) 
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About Docker 


OK... Why the buzz around containers? 


The software industry has changed. 


Before: 


e monolithic applications 

+ long development cycles 
- single environment 

e slowly scaling up 


Now: 
e decoupled services 
. fast, iterative improvements 
+ multiple environments 
e quickly scaling out 
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About Docker 


Deployment becomes very complex 


Many different stacks: 
- languages 
e frameworks 
e databases 


Many different targets: 


- individual development environments 
+ pre-production, QA, staging... 
e production: on prem, cloud, hybrid 
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About Docker 


The deployment problem 
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About Docker 


The Matrix from Hell 


Static website 


Single Prod Onsite 
Server Cluster 


docker 
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About Docker 


An inspiration and some ancient history! 


Do | worry about 
how goods interact 
(e.g. coffee beans 
next to spices) 


spooo jo Ap dany i 


Can I transport quickly 
and smoothly 
(e.g. from boat to 
train to truck) 


Sulio}s/Zuniodsuen 
103 spoyiou 
30 Aan 
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About Docker 


Intermodal shipping containers 
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About Docker 


This spawned a Shipping Container Ecosystem! 


e 90% of all cargo now shipped in a standard container 

¢ Order of magnitude reduction in cost and time to load and unload ships 

e Massive reduction in losses due to theft or damage 

e Huge reduction in freight cost as percent of final goods (from >25% to <3%) 
r e > massive globalization 
docker e 5000 ships deliver 200M containers per year 
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About Docker 


A shipping container system for applications 
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About Docker 


Eliminate the matrix from Hell 


ie 
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About Docker 


Results 


+ Dev-to-prod reduced from 9 months to 15 minutes (ING) 
¢ Continuous integration job time reduced by more than 60% (BBC) 


+ Dev-to-prod reduced from weeks to minutes (GILT) 
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About Docker 


Elevator pitch 


(for your fellow devs and ops) 
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About Docker 


Escape dependency hell 


Write installation instructions into an "INSTALL.txt" file 

Using this file, write an "install.sh" script that works for you 

Turn this file into a "Docteerfile', test it on your machine 

If the Dockerfile builds on your machine, it will build anywhere 
Rejoice as you escape dependency hell and "works on my machine’ 


U AUN‘ 


Never again "worked in dev - ops problem now!" 
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About Docker 


On-board developers and contributors rapidly 


Write Dockerfiles for your application components 

Use pre-made images from the Docker Hub (mysql, redis...) 
Describe your stack with a Compose file 

On-board somebody with two commands: 


DES = 


git clone ... 
docker-compose up 


Also works to create dev, integration, QA environments in minutes! 
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About Docker 


Implement reliable Cl easily 


Build test environment with a Dockerfile or Compose file 
For each test run, stage up a new container or stack 
Each run is now in a clean environment 


PWN = 


No pollution from previous tests 


Way faster and cheaper than creating VMs each time! 
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About Docker 


Use container images as build artefacts 


Build your app from Dockerfiles 

Store the resulting images in a registry 

Keep them forever (or as long as necessary) 

Test those images in QA, Cl, integration... 

Run the same images in production 

Something goes wrong? Rollback to previous image 
Investigating old regression? Old image has your back! 


ay. OE BS OU, 


Images contain all the libraries, dependencies, etc. needed to run the app. 


Docker Fundamentals d7590d1 23 © 2015 Docker Inc 


About Docker 


Decouple "plumbing" from application logic 


Write your code to connect to named services ("db', api...) 

Use Compose to start your stack 

Docker will setup per-container DNS resolver for those names 

You can now scale, add load balancers, replication ... without changing your code 


PWN = 


Note: this is not covered in this intro level workshop! 
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About Docker 


What did Docker bring to the table? 


Docker before/after 
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About Docker 


Formats and APIs, before Docker 


- No standardized exchange format. 
(No, a rootfs tarball is not a format!) 


- Containers are hard to use for developers. . 
(Where's the equivalent of docker run debian?) 


- Asaresult, they are hidden from the end users. 


+ Nore-usable components, APIs, tools. 
(At best: VM abstractions, e.g. libvirt.) 


Analogy: 


- Shipping containers are not just steel boxes. 


- They are steel boxes that are a standard size, 
with the same hooks and holes. 
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About Docker 


Formats and APIs, after Docker 


e Standardize the container format, because containers were not portable. 
+ Make containers easy to use for developers. 
e Emphasis on re-usable components, APIs, ecosystem of standard tools. 


+ Improvement over ad-hoc, in-house, specific tools. 
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About Docker 


Shipping, before Docker 


Ship packages: deb, rpm, gem, jar, homebrew... 
Dependency hell. 
"Works on my machine. 


Base deployment often done from scratch (debootstrap...) and unreliable. 
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About Docker 


Shipping, after Docker 


Ship container images with all their dependencies. 
Images are bigger, but they are broken down into layers. 
Only ship layers that have changed. 


Save disk, network, memory usage. 
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About Docker 


Example 


Layers: 


+ CentOS 

e JRE 

+ Tomcat 

- Dependencies 
- Application JAR 


+ Configuration 
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About Docker 


Devs vs Ops, before Docker 


Drop a tarball (or a commit hash) with instructions. 

Dev environment very different from production. 

Ops don't always have a dev environment themselves ... 
.. and when they do, it can differ from the devs’. 

Ops have to sort out differences and make it work ... 

... or bounce it back to devs. 


Shipping code causes frictions and delays. 
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About Docker 


Devs vs Ops, after Docker 


+ Drop a container image or a Compose file. 
¢ Ops can always run that container image. 
+ Ops can always run that Compose file. 


e Ops still have to adapt to prod environment, but at least they have a reference 
point. 


- Ops have tools allowing to use the same image in dev and prod. 


- Devs can be empowered to make releases themselves more easily. 
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About Docker 


Clean separation of concerns 


* Dan the Developer es * Oscar the Ops Guy 
* Worries about what's “inside” the Corvercast ing * Worries about what's “outside” 
container the container 
+ His code Logging 
+ His Libraries . Remote access 
+ His Package Manager k re 
* His Apps 
* All contai tart, , COPY, 
His Data attach, migrate, ele. the samme 


+ All Linux servers look the same way 


docker 
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About Docker 


History of containers ... and Docker 
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About Docker 


First experimentations 


IBM VM/370 (1972) 

Linux VServers (2001) 
Solaris Containers (2004) 
FreeBSD jails (1999) 


Containers have been around for a very long time indeed. 
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About Docker 


VPS-olithic period (until 2007-2008) 
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About Docker 


Containers = cheaper than VMs 


Containers are isolated, 

but share OS kernel and, where 
appropriate, bins/libraries 

VM 


..result is significantly faster deployment, 
much less overhead, easier migration, 
faster restart 


Container 


Host OS 


Server 


. Users: hosting providers. 


+ Highly specialized audience with strong ops culture. 
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About Docker 


PaaS-olithic period (2008-2013) 
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Containers 


About Docker 


= easier than VMs 


Features | Blog | About | Login 


mi Instantly Live 
When you create or import 
an app with Heroku, it's 


already live on the web. No 
configuration or deployment 


necessary. 
Watch Demo > 


F Share and Collaborate 


Make your app public to the 


web or private to users you 
specify. Add collaborators 
who can edit the app with 
you. 

Watch Demo > 


Sign up for our limited beta and we'll send you an invitation as soon as possible. 


5 m 
Create and Edit Online 


Edit all of your code and 
data right in your browser. 
You can access it anywhere 
and there's nothing to install. 
Watch Demo > 


Import & Export 

Easily import and export 
your app's code, schema, 
and data at any time with 
just one click. 


e I can't speak for Heroku, but containers were (one of) dotCloud's secret weapon 
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About Docker 


The origins of the Docker Project 


dotCloud was operating a PaaS, using a custom container engine. 
This engine was based on OpenVZ (and later, LXC) and AUFS. 
It started (circa 2008) as a single Python script. 


By 2012, the engine had multiple (-10) Python components. 
(and ~100 other micro-services!) 


End of 2012, dotCloud refactors this container engine. 


The codename for this project is "Docker.' 
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About Docker 


First public release 


e March 2013, PyCon, Santa Clara: 
"Docker" is shown to a public audience for the first time. 


e Itis released with an open source license. 

- Very positive reactions and feedback! 

+ The dotCloud team progressively shifts to Docker development. 
- Thesame year, dotCloud changes name to Docker. 


e In 2014, the PaaS activity is sold. 
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About Docker 


Docker early days (2013-2014) 
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About Docker 


First users of Docker 


PAAS builders (Flynn, Dokku, Tsuru, Deis...) 
PAAS users (those big enough to justify building their own) 
Cl platforms 


developers, developers, developers, developers 
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About Docker 


Positive feedback loop 


In 2013, the cn under containers (cgroups, namespaces, copy-on-write 
storage...) had many blind spots. 


The growing popularity of Docker and containers exposed many bugs. 
As aresult, those bugs were fixed, resulting in better stability for containers. 
Any decent hosting/cloud provider can run containers today. 


Containers become a great tool to deploy/move workloads to/from on-prem/ 
cloud. 
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About Docker 


Maturity (2015-2016) 
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About Docker 


Docker becomes an industry standard 


Docker reaches the symbolic 1.0 milestone. 
Existing systems like Mesos and Cloud Foundry add Docker support. 
Standards like OCI, CNCF appear. 


Other container engines are developed. 
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- The initial container engine is now known as "Docker Engine: 


About Docker 


Docker becomes a platform 


e Other tools are added: 


Docker Compose (formerly "Fig") 
Docker Machine 

Docker Swarm 

Kitematic 

Docker Cloud (formerly "Tutum"') 
Docker Datacenter 

etc. 


e Docker Inc. launches commercial offers. 
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About Docker 


Docker Inc. (the company) 
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About Docker 


About Docker Inc. 


+ Docker Inc. used to be dotCloud Inc. 
e dotCloud Inc. used to be a French company. 


+ Docker Inc. is the primary sponsor and contributor to the Docker Project: 


e Hires maintainers and contributors. 
e Provides infrastructure for the project. 
e Runs the Docker Hub. 


e HQ in San Francisco. 


+ Backed by more than 100M in venture capital. 
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About Docker 


How does Docker Inc. make money? 


SAAS 


¢ Docker Hub (per private repo) 
¢ Docker Cloud (per node) 


Subscription 


e on-premise stack (Docker Datacenter) 
e DTR (Docker Trusted Registry) 

e UCP (Universal Control Plane) 

+ CS (Commercially Supported Engine) 


Support 


Training and professional services 
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Your training Virtual Machine 


Your training Virtual Machine 
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Your training Virtual Machine 


Lesson 2: Your training Virtual Machine 
Objectives 
In this section, we will see how to use your training Virtual Machine. 


If you are following this course as part of an official Docker training or workshop, you 
have been given credentials to connect to your own private Docker VM. 


If you are following this course on your own, without access to an official training Virtual 
Machine, just skip this lesson, and check "Installing Docker" instead. 
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Your training Virtual Machine 


Your training Virtual Machine 


This section assumes that you are following this course as part of an official Docker 


training or workshop, and have been given credentials to connect to your own private 
Docker VM. 


This VM has been created specifically for you, just before the training. 


It comes pre-installed with the latest and shiniest version of Docker, as well as some 
useful tools. 


It will stay up and running for the whole training, but it will be destroyed shortly after 
the training. 
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Your training Virtual Machine 


Connecting to your Virtual Machine 


You need an SSH client. 
On OS X, Linux, and other UNIX systems, just use ssh: 


$ ssh <login>@<ip-address> 


On Windows, if you don't have an SSH client, you can download: 


Putty (www.putty.org) 
e Git BASH (https://git-for-windows.github.io/) 
e _ MobaXterm (http://moabaxterm.mobatek.net) 
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Once logged in, make sure that you can run a basic Docker command: 


Your training Virtual Machine 


Checking your Virtual Machine 


$ docker version 


Client: 
Version: 

API version: 
Go version: 
Git commit: 
Built: 
OS/Arch: 


Server: 
Version: 

API version: 
Go version: 
Git commit: 
Built: 
OS/Arch: 


1.11.1 

1.23 

gol.5.4 

5604cbe 

Tue Apr 26 23:38:55 2016 
Linux/amd64 


1.11.1 

1.23 

gol.5.4 

5604cbe 

Tue Apr 26 23:38:55 2016 
Linux/amd64 


- If this doesn't work, raise your hand so that an instructor can assist you! 
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Install Docker 


Install Docker 
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Install Docker 


Lesson 3: Installing Docker 
Objectives 


At the end of this lesson, you will know: 


e How to install Docker. 


e When to use Sudo when running Docker commandés. 


Note: if you were provided with a training VM for a hands-on tutorial, Es can ship this 
chapter, since that VM already has Docker installed, and Docker has already been setup 
to run without sudo. 
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Install Docker 


Installing Docker 


Docker is easy to install. 


It runs on: 


e — A variety of Linux distributions. 
+ OS X via a virtual machine. 


e Microsoft Windows via a virtual machine. 
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Install Docker 


Installing Docker on Linux 


It can be installed via: 


Distribution-supplied packages on virtually all distros. 

(Includes at least: Arch Linux, CentOS, Debian, Fedora, Gentoo, openSUSE, 
RHEL, Ubuntu.) 

Packages supplied by Docker. 

Installation script from Docker. 


Binary download from Docker (it's a single file). 
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Install Docker 


Installing Docker with upstream packages 


Preferred method to install Docker on Linux. 
Upstream's packages are more up-to-date than distros’. 


Instructions per distro: 


https://docs.docker.com/engine/installation/linux/ 


Package will be named docker-engine. 
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Install Docker 


Installing Docker with distros packages 
On Red Hat derivatives (Fedora, CentOS): 


$ sudo yum install docker 


On Debian and derivatives: 


$ sudo apt-get install docker.io 
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Install Docker 


Installation script from Docker 
You can use the curl command to install on several platforms: 


$ curl -s https://get.docker.com/ | sudo sh 


This currently works on: 


e Ubuntu 
+ Debian 
- Fedora 

+ Gentoo 
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Install Docker 


Installing on OS X and Microsoft Windows 


Docker doesn't run natively on OS X or Microsoft Windows. 


There are three ways to get Docker on OS X or Windows: 


Using Docker Mac or Docker Windows (recommended); 
Using the Docker Toolbox (formerly recommended); 


Rolling your own with e.g. Parallels, VirtualBox, VMware... 
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Install Docker 


Running Docker on OS X and Windows 


When you execute docker version from the terminal: 


+ the CLI connects to the Docker Engine over a standard socket, 
. the Docker Engine is, in fact, running in a VM, 

e _... but the CLI doesn't know or care about that, 

- the CLI sends a request using the REST API, 

+ the Docker Engine in the VM processes the request, 


e the CLI gets the response and displays it to you. 


All communication with the Docker Engine happens over the API. 


This will also allow to use remote Engines exactly as if they were local. 
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Install Docker 


Rolling your own install 


Good luck, you're on your own! 
There is (almost?) no good reason to do that. 


If you want to do something very custom, the Docker Toolbox is probably better 
anyway. 
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Install Docker 


Using the Docker Toolbox 


The Docker Toolbox installs the following components: 


VirtualBox + Boot2Docker VM image (runs Docker Engine) 
Kitematic GUI 

Docker CLI 

Docker Machine 

Docker Compose 


A handful of clever wrappers 
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Install Docker 


About boot2docker 


It is a very small VM image (-30 MB). 
It runs on most hypervisors and can also boot on actual hardware. 


Boot2Docker is not a "lite" version of Docker. 


Pet ddtker 
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Install Docker 


Docker Mac and Docker Windows 


Docker Mac and Docker Windows are newer products 

They let you run Docker without VirtualBox 

They are installed like normal applications (think QEMU, but faster) 
They provide better integration with enterprise VPNs 


They support filesystem sharing through volumes (we'll talk about this later) 


Only downside (for now): only one instance at a time; so if you want to run a full cluster 
on your local machine, you can fallback on the Docker Toolbox (it can coexist with 
Docker Mac/Windows just fine). 
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Install Docker 


Su-su-sudo 
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Install Docker 


Important PSA about security 
The docker user is root equivalent. 
It provides root-level access to the host. 
You should restrict access to it like you would protect root. 


If you give somebody the ability to access the Docker API, you are giving them full 
access on the machine. 


Therefore, the Docker control socket is (by default) owned by the docker group, to 
avoid unauthorized access on multi-user machines. 


If your user is not in the docker group, you will need to prefix every command with 
sudo; eg. sudo docker version. 
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Install Docker 


Reminder ... 


Note: if you were provided with a training VM for a hands-on tutorial, you can skip this 
chapter, since that VM already has Docker installed, and Docker has already been setup 
to run without sudo. 
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Install Docker 


The docker group 
Add the Docker group 


$ sudo groupadd docker 
Add ourselves to the group 


$ sudo gpasswd -a $USER docker 


Restart the Docker daemon 


$ sudo service docker restart 


Log out 


$ exit 
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Install Docker 


Check that Docker works without sudo 


$ docker version 


Client: 
Version: 


API version: 


Go version: 
Git commit: 
Built: 
OS/Arch: 


Server: 
Version: 


API version: 


Go version: 
Git commit: 
Built: 
OS/Arch: 


Tue Apr 26 23:38:55 2016 
Linux/amd64 


Tue Apr 26 23:38:55 2016 
Linux/amd64 
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Install Docker 


Section summary 


We've learned how to: 


e Install Docker. 


e Run Docker without sudo. 
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Our First Containers 


Our First Containers 
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Our First Containers 


Lesson 4: Our First Containers 
Objectives 


At the end of this lesson, you will have: 


Seen Docker in action. 


Started your first containers. 
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Our First Containers 


Docleer architecture 


Docker is a client-server application. 


- The Docker Engine (or "daemon") 
Receives and processes incoming Docker API requests. 


e The Docker client 
Talks to the Docker daemon via the Docker API. 
We'll use mostly the CLI embedded within the docker binary. 


+ Docker Hub Registry 


Collection of public images. 
The Docker daemon talks to it via the registry API. 
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Our First Containers 


Hello World 


In your Docker environment, just run the following command: 


$ docker run busybox echo hello world 
hello world 
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Our First Containers 


That vvas our first containerl 


We used one of the smallest, simplest images available: busybox. 
busybox is typically used in embedded systems (phones, routers...) 


We ran a single process and echo'ed hello world. 
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Our First Containers 


A more useful container 
Let's run a more exciting container: 


$ docker run -it ubuntu 
root@04c0bb0a6c07:/# 


e This is a brand new container. 
e Itruns a bare-bones, no-frills ubuntu system. 


e -itisshorthand for -i -t. 


e -1 tells Docker to connect us to the container's stdin. 
+ -t tells Docker that we want a pseudo-terminal. 
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Do something in our container 
Try to run figlet in our container. 


root@04cObb0a6c07:/# figlet hello 
bash: figlet: command not found 


Alright, we need to install it. 
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An obvservation 
Let's check how many packages are installed here. 


See as dpkg -l | we -l 
1 


e dpkg -l lists the packages installed in our container 
e wc -l counts them 


e If you have a Debian or Ubuntu machine, you can run the same command and 
compare the results. 
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Install a package in our container 


We want fig Let, so let's install it: 


root@04c0bb0a6c07:/# apt-get update 
Fetched 1514 kB in 14s (103 kB/s) 


Reading package lists... Done 
root@04cObb0abc07:/# apt-get install figlet 


Reading package lists... Done 


One minute later, figlet is installed! 


# Ba hello 


— 
DE: 
ts 

| 


Docker Fundamentals d7590d1 83 © 2015 Docker Inc 


Our First Containers 


Exiting our container 
Just exit the shell, like you would usually do. 
(E.g. with ^D or exit) 


root@04cObb0a6c07:/# exit 


e Our container is now in a stopped state. 


- It still exists on disk, but all compute resources have been freed up. 
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Starting another container 
What if we start a new container, and try to run figlet again? 


$ docker run -it ubuntu 
root@b13c164401fb:/# figlet 
bash: figlet: command not found 


+ We started a brand new container. 
- The basic Ubuntu image was used, and fig Let is not here. 


+ Wewillsee in the next chapters how to bake a custom image with figlet. 
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Background Containers 
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Lesson 5: Background Containers 
Objectives 
Our first containers were interactive. 


We will now see how to: 


e Run a non-interactive container. 

e Run a container in the background. 
e List running containers. 

+ Check the logs of a container. 

+ Stop a container. 


e List stopped containers. 
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A non-interactive container 


We will run a small custom container. 
This container just displays the time every second. 


$ docker run jpetazzo/clock 
Fri Feb 20 00:28:53 UTC 2015 
Fri Feb 20 00:28:54 UTC 2015 
Fri Feb 20 00:28:55 UTC 2015 
e This container will run forever. 
«To stop it, press ^C. 
e Docker has automatically downloaded the image jpetazzo/clock. 
- This image is a user image, created by jpetazzo. 


e Wewill hear more about user images (and other types of images) later. 
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Run a container in the background 
Containers can be started in the background, with the - d flag (daemon mode): 


$ docker run -d jpetazzo/clock 
47d677dcfba4277c6cc68fcaa51f932b544cabl1a18/7c853b/d0caf4e8debe5ad 


+ We don't see the output of the container. 
e But don't worry: Docker collects that output and logs it! 


+ Docker gives us the ID of the container. 
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List running containers 


How can we check that our container is still running? 


With docker ps, just like the UNIX ps command, lists running processes. 


$ docker ps 
CONTAINER ID IMAGE ... CREATED STATUS 
47d677dcfba4 jpetazzo/clock ... 2 minutes ago Up 2 minutes 


Docker tells us: 


e The (truncated) ID of our container. 
- The image used to start the container. 
e That our container has been running (Up) for a couple of minutes. 


+ Other information (COMMAND, PORTS, NAMES) that we will explain later. 
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Starting more containers 
Let's start two more containers. 


$ docker run -d jpetazzo/clock 
57ad9bdfc06bb4407c47220c f59ce21585dce9a1298d7a67488359aeaea8ae2a 
$ docker run -d jpetazzo/clock 
068cc994ffd0190bbe025ba74e4c0771a5d8f14734af7/72ddee8dclaaf20567d 


Check that docker ps correctly reports all 3 containers. 
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Two useful flags for docker ps 
To see only the last container that was started: 


$ docker ps -l 
CONTAINER ID IMAGE ... CREATED STATUS 
068cc994ffdO jpetazzo/clock ... 2 minutes ago Up 2 minutes 


To see only the ID of containers: 


$ docker ps -q 
068cc994ffd0 
57ad9bdfc06b 
47d677dcfba4 


Combine those flags to see only the ID of the last container started! 


$ docker ps -lq 
068cc994ffd0 
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View the logs of a container 


We told you that Docker was logging the container output. 
Let's see that now. 


$ docker logs 068 
Fri Feb 20 00:39:52 UTC 2015 
Fri Feb 20 00:39:53 UTC 2015 
+ We specified a prefix of the full container ID. 


+ You can, of course, specify the full ID. 


+ The logs command will output the entire logs of the container. 
(Sometimes, that will be too much. Let's see how to address that.) 
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View only the tail of the logs 


To avoid being spammed with eleventy pages of output, we can use the - -tail 
option: 


$ docker logs --tail 3 068 

Fri Feb 20 00:55:35 UTC 2015 
Fri Feb 20 00:55:36 UTC 2015 
Fri Feb 20 00:55:37 UTC 2015 


- The parameter is the number of lines that we want to see. 
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Follow the logs in real time 


Just like with the standard UNIX command tail - f, we can follow the logs of our 
container: 


$ docker logs --tail 1 --follow 068 
Fri Feb 20 00:57:12 UTC 2015 
Fri Feb 20 00:57:13 UTC 2015 
e This will display the last line in the log file. 


e Then, it will continue to display the logs in real time. 


+ Use ^C to exit. 


Docker Fundamentals d7590d1 95 © 2015 Docker Inc 


Background Containers 


Stop our container 


There are two ways we can terminate our detached container. 


Killing it using the docker kill command. 


Stopping it using the docker stop command. 


The first one stops the container immediately, by using the KILL signal. 


The second one is more graceful. It sends a TERM signal, and after 10 seconds, if the 
container has not stopped, it sends KILL. 


Reminder: the KILL signal cannot be intercepted, and will forcibly terminate the 
container. 
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Stopping our containers 
Let's stop one of those containers: 


$ docker stop 47d6 
47d6 


This will take 10 seconds: 


+ Docker sends the TERM signal; 


+ the container doesn't react to this signal (it's a simple Shell script with no special 


signal handling); 


+ 10 seconds later, since the container is still running, Docker sends the KILL 


signal; 


e this terminates the container. 
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Killing the remaining containers 
Let's be less patient with the two other containers: 


$ docker kill 068 57ad 
068 
57ad 


The stop and kill commands can take multiple container IDs. 
Those containers will be terminated immediately (without the 10 seconds delay). 


Let's check that our containers don't show up anymore: 


$ docker ps 
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List stopped containers 
We can also see stopped containers, with the -a (- -al l) option. 


$ docker ps -a 


CONTAINER ID IMAGE ... CREATED STATUS 

068cc994ffdO jpetazzo/clock ... 21 min. ago Exited (137) 3 min. ago 
57ad9bdfc06b jpetazzo/clock ... 21 min. ago Exited (137) 3 min. ago 
47d677dcfba4 jpetazzo/clock ... 23 min. ago Exited (137) 3 min. ago 
5cldfd4d81fl jpetazzo/clock ... 40 min. ago Exited (0) 40 min. ago 
b13c164401fb ubuntu ... 55 min. ago Exited (130) 53 min. ago 
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Restarting and Attaching to Containers 
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Lesson 6: Restarting and Attaching to Containers 
Objectives 
We have started containers in the foreground, and in the background. 


In this chapter, we will see how to: 


Put a container in the background. 
Attach to a background container to bring it to the foreground. 


Restart a stopped container. 


Docker Fundamentals d7590d1 101 © 2015 Docker Inc 


Restarting and Attaching to Containers 


Background and foreground 


The distinction between foreground and background containers is arbitrary. 

From Docker's point of view, all containers are the same. 

All containers run the same way, whether there is a client attached to them or not. 
It is always possible to detach from a container, and to reattach to a container. 


Analogy: attaching to a container is like plugging a keyboard and screen to a physical 
server. 
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Detaching from a container 


- If you have started an interactive container (with option - it), 
you can detach from it. 


+ The "detach" sequence is "PQ. 


e Otherwise you can detach by killing the Docker client. 
(But not by hitting ^C, as this would deliver SIGINT to the container.) 


What does - it stand for? 


e -t means "allocate a terminal! 


e -i means "connect stdin to the terminal” 
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Specifying a custom detach sequence 


+ You don't like *~P*Q? No problem! 
- You can change the sequence with docker run --detach-keys. 
e This can also be passed as a global option to the engine. 
Start a container with a custom detach command: 
$ docker run -ti --detach-keys ctrl-x,x jpetazzo/clock 
Detach by hitting ^X x. (This is ctrl-x then x, not ctrl-x twice!) 
Check that our container is still running: 


$ docker ps -l 
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Attaching to a container 
You can attach to a container: 


$ docker attach <containerID> 


- The container must be running. 

+ There can be multiple clients attached to the same container. 

- If you don't specify - -detach-keys when attaching, it defaults back to ^P^Q. 
Try it on our previous container: 


$ docker attach $(docker ps -lq) 


Check that ^X x doesn't work, but "P. ^Q does. 


Docker Fundamentals d7590d1 105 © 2015 Docker Inc 


Restarting and Attaching to Containers 


Detaching from non-interactive containers 


Warning: if the container was started without - it... 


e You won't be able to detach with "PQ. 
e If you hit ^C, the signal will be proxied to the container. 


Remember: you can always detach by killing the Docker client. 
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Checking container output 


e Usedocker attach if you intend to send input to the container. 


- If you just want to see the output of a container, use docker Logs. 


$ docker logs --tail 1 --follow <containerID> 
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Restarting a container 


When a container has exited, it is in stopped state. 


It can then be restarted with the start command. 


$ docker start syourContainerID: 


The container will be restarted using the same options you launched it with. 
You can re-attach to it if you want to interact with it: 


$ docker attach syourContainerID: 


Use docker ps -a to identify the container ID of a previous j petazzo/clock 
container, and try those commands. 
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Attaching to a REPL 


e REPL = Read Eval Print Loop 

+ Shells, interpreters, TUI ... 

e Symptom: you docker attach, and see nothing 

e The REPL doesn't know that you just attached, and doesn't print anything 


- Try hitting ^L or Enter 
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SIGVVINCH 


+ When you docker attach, the Docker Engine sends a couple of SIGWINCH 
signals to the container. 


e SIGWINCH = WINdow CHange; indicates a change in window size. 
e This will cause some CLI and TUI programs to redraw the screen. 


e Butnotall of them. 
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Understanding Docker Images 
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Lesson 7: Understanding Docker Images 
Objectives 


In this lesson, we will explain: 


What is an image. 

What is a layer. 

The various image namespaces. 

How to search and download images. 


Image tags and when to use them. 
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What is an image? 
+ Animage is a collection of files + some meta data. 
(Technically: those files form the root filesystem of a container.) 
+ Images are made of layers, conceptually stacked on top of each other. 
e Each layer can add, change, and remove files. 
e Images can share layers to optimize disk usage, transfer times, and memory use. 


- Example: 


+ CentOS 

+ JRE 

+ Tomcat 

- Dependencies 
e Application JAR 
e Configuration 
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Differences between containers and images 


+ Animage is a read-only filesystem. 


+ Acontainer is an encapsulated set of processes running in a read-write copy of 
that filesystem. 


- To optimize container boot time, copy-on-write is used instead of regular copy. 


e docker run starts a container from a given image. 


Let's give a couple of metaphors to illustrate those concepts. 


Docker Fundamentals d7590d1 114 © 2015 Docker Inc 


Understanding Docker Images 


Image as stencils 


Images are like templates or stencils that you can create containers from. 
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Object-oriented programming 


+ Images are conceptually similar to classes. 
+ Layers are conceptually similar to inheritance. 


+ Containers are conceptually similar to instances. 
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Wait a minute... 


If an image is read-only, how do we change it? 


+ We don't. 

- We create a new container from that image. 

e Then we make changes to that container. 

e When we are satisfied with those changes, we transform them into a new layer. 


- Anew image is created by stacking the new layer on top of the old image. 
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A chicken-and-egg problem 


+ The only way to create an image is by "freezing" a container. 
+ The only way to create a container is by instanciating an image. 


+ Help! 
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Creating the first images 


There is a special empty image called scratch. 
It allows to build from scratch. 
The docker import command loads a tarball into Docker. 


The imported tarball becomes a standalone image. 


That new image has a single layer. 


Note: you will probably never have to do this yourself. 
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Creating other images 


docker commit 


- Saves all the changes made to a container into a new layer. 


- Creates a new image (effectively a copy of the container). 
docker build 


- Performs a repeatable build sequence. 


e This is the preferred method! 


We will explain both methods in a moment. 
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Images namespaces 


There are three namespaces: 


Official images 
e.g. ubuntu, busybox ... 


User (and organizations) images 
e.g. jpetazzo/clock 


Self-hosted images 
e.g. registry.example.com:5000/my-private/image 


Let's explain each of them. 
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Root namespace 


The root namespace is for official images. They are put there by Docker Inc., but they 
are generally authored and maintained by third parties. 


Those images include: 


+ Small, "swiss-army-knife" images like busybox. 
- Distro images to be used as bases for your builds, like ubuntu, fedora... 


e Ready-to-use components and services, like redis, postgresql... 
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User namespace 
The user namespace holds images for Docker Hub users and organizations. 
For example: 
jpetazzo/clock 
The Docker Hub user is: 
jpetazzo 
The image name is: 


clock 
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Self-Hosted namespace 


This namespace holds images which are not hosted on Docker Hub, but on third party 
registries. 


They contain the hostname (or IP address), and optionally the port, of the registry 
server. 


For example: 


localhost:5000/vordpress 


e localhost :5000 is the host and port of the registry 


e wordpress is the name of the image 
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How do you store and manage images? 


Images can be stored: 


On your Docker host. 


In a Docker registry. 


You can use the Docker client to download (pull) or upload (push) images. 


To be more accurate: you can use the Docker client to tell a Docker server to push and 
pull images to and from a registry. 
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Showing current images 


Let's look at what images are on our host now. 


$ docker images 
REPOSITORY 
fedora 

centos 

ubuntu 

redis 

postgres 
alpine 

debian 

busybox 
training/namer 
jpetazzo/clock 
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TAG 

latest 
latest 
latest 
latest 
latest 
latest 
latest 
latest 
latest 
latest 


IMAGE ID 

ddd5c9c1d0f2 
d0e7f81ca65c 
07c86167cdc4 
4f5f397d4b7c 
afe2b5e1859b 
70c557e50ed6 
f50f9524513Tf 
3240943c9ea3 
902673acc741 
12068b93616f 


CREATED 
3 days 
3 days 
4 days 
5 days 
5 days 
5 days 
6 days 
2 
9 
1 


weeks ago 
months ago 
2 months ago 


126 


ago 
ago 
ago 
ago 
ago 
ago 
ago 


SIZE 
204.7 MB 
196.6 MB 
188 MB 
177.6 MB 
264.5 MB 
4.798 MB 
125.1 MB 
1.114 MB 
289.3 MB 
2.433 MB 
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Searching for images 
We cannot list all images on a remote registry, but we can search for a specific keyword: 


$ docker search zookeeper 


NAME DESCRIPTION STARS OFFICIAL AUTOMATED 
jplock/zookeeper Builds a docker image ... 103 [OK] 
mesoscloud/zookeeper ZooKeeper 42 [OK] 
springxd/zookeeper A Docker image that ca... 5 [OK] 
elevy/zookeeper ZooKeeper configured t... 3 [OK] 


- "Stars" indicate the popularity of the image. 
. "Official" images are those in the root namespace. 


- "Automated" images are built automatically by the Docker Hub. 
(This means that their build recipe is always available.) 
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Downloading images 


There are two ways to download images. 


Explicitly, with docker pull. 


Implicitly, when executing docker run and the image is not found locally. 


Docker Fundamentals d7590d1 128 © 2015 Docker Inc 


Understanding Docker Images 


Pulling an image 


$ docker pull debian: jessie 

Pulling repository debian 

b164861940b8: Download complete 

b164861940b8: Pulling image (jessie) from debian 
d1881793a057: Download complete 


- As seen previously, images are made up of layers. 
+ Docker has downloaded all the necessary layers. 


e In this example, : jessie indicates which exact version of Debian we would 
like. It is a version tag. 
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Image and tags 


e Images can have tags. 
- Tags define image versions or variants. 
e docker pull ubuntu will refer to ubuntu: Latest. 


- The : Latest tag is generally updated often. 
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When to (not) use tags 
Don't specify tags: 
- When doing rapid testing and prototyping. 
+ When experimenting. 
e When you want the latest version. 
Do specify tags: 


e When recording a procedure into a script. 
+ When going to production. 
- To ensure that the same version will be used everywhere. 


+ To ensure repeatability later. 
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Section summary 


We've learned how to: 


- Understand images and layers. 
- Understand Docker image namespacing. 


. Search and download images. 
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Building Images Interactively 
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Lesson 8: Building Images Interactively 
Objectives 
In this lesson, we will create our first container image. 
It will be a basic distribution image, but we will pre-install the package figlet. 


We will: 


Create a container from a base image. 
Install software manually in the container, and turn it into a new image. 


Learn about new commands: docker commit, docker tag, and docRer 
dif f. 
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Building Images Interactively 
As we have seen, the images on the Docker Hub are sometimes very basic. 
How do we want to construct our own images? 
As an example, we will build an image that has figlet. 
First, we will do it manually with docker commit. 


Then, in an upcoming chapter, we will use a Dockerfile and docker build. 
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Building from a base 


Our base will be the ubuntu image. 
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Create a new container and make some changes 
Start an Ubuntu container: 


$ docker run -it ubuntu 
root@<yourContainerld>:#/ 


Run the command apt-get update to refresh the list of packages available to 
install. 


Then run the command apt-get install figlet to install the program we are 
interested in. 


root@<yourContainerId>:#/ apt-get up Gare && apt-get install figlet 
.... OUTPUT OF APT-GET COMMANDS ... 
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Inspect the changes 


Type exit at the container prompt to leave the interactive session. 


Now let's run docker diff to see the difference between the base image and our 
container. 


docker diff <yourContainerId> 
/root 

/root/.bash history 

/tmp 

/usr 

/usr/bin 

/usr/bin/figlet 


- POOORBROR 
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Docker tracks filesystem changes 


As explained before: 


An image is read-only. 
When we make changes, they happen in a copy of the image. 
Docker can show the difference between the image, and its copy. 


For performance, Docker uses copy-on-write systems. 
(i.e. starting a container based on a big image doesn't incur a huge copy.) 
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Commit and run your image 


The docker commit command will create a new layer with those changes, and a new 
image using this new layer. 


$ docker commit <yourContainerlId> 
<newImageld> 


The output of the docker commit command will be the ID for your newly created 
image. 


We can run this image: 


$ docker run -it <newImageld> 
root@fcfb62f0bfde:/# figlet hello 
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Tagging images 


Referring to an image by its ID is not convenient. Let's tag it instead. 


VVe can use the tag command: 
$ docker tag <newlmageld> figlet 
But vve can also specify the tag as an extra argument to commit: 


$ docker commit <containerId> figlet 


And then run it using its tag: 


$ docker run -it figlet 
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What's next? 


Manual process = bad. 
Automated process = good. 


In the next chapter, we will learn how to automate the build process by writing a 
Dockerfile. 
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Building Docker images 
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Lesson 9: Building Images With A Dockerfile 
Objectives 
We will build a container image automatically, with aDockerfile. 


At the end of this lesson, you will be able to: 


Write aDockerfile. 


Build an image from a Dockerfile. 
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Dockerfi Le overview 


e ADockerfile isa build recipe for a Docker image. 
- It contains a series of instructions telling Docker how an image is constructed. 


e Thedocker build command builds an image from a Dockerfile. 
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Writing our first Dockerfile 
Our Dockerfile must be in a new, empty directory. 


1. Create a directory to hold our Dockerfile. 


$ mkdir myimage 


2. Create aDocRerfile inside this directory. 
$ cd myimage 


$ vim Dockerfile 


Of course, you can use any other editor of your choice. 
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Type this into our Docterfile... 


FROM ubuntu 
RUN apt-get update 
RUN apt-get install figlet 


FROM indicates the base image for our build. 
Each RUN line will be executed by Docker during the build. 


Our RUN commands must be non-interactive. 
(No input can be provided to Docker during the build.) 


In many cases, we will add the - y flag to apt-get. 
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Build itl 
Save our file, then execute: 


$ docker build -t figlet . 


e -t indicates the tag to apply to the image. 
e — , indicates the location of the build context. 


(We will talk more about the build context later; but to keep things simple: this is 
the directory where our Dockerfile is located.) 
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What happens when we build the image? 
The output of docker build looks like this: 


$ docker build -t figlet . 
Sending build context to Docker daemon 2.048 kB 
Sending build context to Docker daemon 
Step © : FROM ubuntu 

---> e54ca5efa2e9 
Step 1 : RUN apt-get update 

---> Running in 840cb3533193 

---> 7257¢37726al 
Removing intermediate container 840cb3533193 
Step 2 : RUN apt-get install figlet 

---> Running in 2b44df/62a2f 

---> f9e8f 1642759 
Removing intermediate container 2b44df762a2f 
Successfully built f9e8f1642759 


- The output of the RUN commands has been omitted. 


- Let's explain what this output means. 
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Sending the build context to Docker 


Sending build context to Docker daemon 2.048 kB 


The build context is the . directory given to docker build. 
It is sent (as an archive) by the Docker client to the Docker daemon. 
This allows to use a remote machine to build using local files. 


Be careful (or patient) if that directory is big and your link is slow. 
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Building Docker images 


Executing each step 


Step 1 : RUN apt-get update 
---> Running in 840cb3533193 
(...output of the RUN command...) 
---> 7257c37726al 
Removing intermediate container 840cb3533193 


. A container (840cb3533193) is created from the base image. 
e The RUN command is executed in this container. 

+ The container is committed into an image (7257c37726a1). 
- The build container (840Cb3533193) is removed. 


e The output of this step will be the base image for the next one. 
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The caching system 
If you run the same build again, it vvill be instantaneous. 


Why? 


After each build step, Docker takes a snapshot of the resulting image. 
Before executing a step, Docker checks if it has already built the same sequence. 
Docker uses the exact strings defined in your Dockerfile, so: 

e RUN apt-get install figlet cowsay 


is different from 
RUN apt-get install cowsay figlet 


e RUN apt-get update is not re-executed when the mirrors are 
updated 


You can force arebuild with docker build --no-cache ... 
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Running the image 
The resulting image is not different from the one produced manually. 


$ docker run -ti figl 
rootg91f3C974c9a1: ja figlet hello 


e Sweet is the taste of success! 
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Using image and vievving history 


The history command lists all the layers composing an image. 


For each layer, it shows its creation time, size, and creation command. 


When an image was built with a Dockerfile, each layer corresponds to a line of the 


Dockerfile. 


$ docker history figlet 

IMAGE CREATED 
f9e8f1642759 About an hour ago 
7257c37726a1 About an hour ago 
07c86167cdc4 4 days ago 


<missing> 4 days ago 
<missing> 4 days ago 
<missing> 4 days ago 
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CREATED 
/bin/sh 
/bin/sh 
/bin/sh 
/bin/sh 
/bin/sh 
/bin/sh 


154 


apt-get install fi 
apt-get update 
#(nop) CMD ["/bin 
sed -i 's/*#\s*\( 
echo '#!/bin/sh' 
#(nop) ADD file:b 


SIZE 

1.627 MB 
21.58 MB 
0 B 

1.895 kB 
194.5 RB 
187.8 MB 
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Building Docker images 


Introducing JSON syntax 


Most Docleerfile arguments can be passed in tvvo forms: 


e plain string: 
RUN apt-get install figlet 


+ JSON list: 
RUN ["apt-get", "install", "figlet"] 


Let's change our Dockerfile as follows! 


FROM ubuntu 
RUN apt-get update 
RUN ["apt-get", "install", "figlet"] 


Then build the new Dockerfile. 


$ docker build -t figlet . 
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Building Docker images 


JSON syntax vs string syntax 


Compare the nevv history: 


$ docker history figlet 

IMAGE CREATED 
27954bb5faaf 10 seconds ago 
7257¢37726a1 About an hour ago 
07c86167cdc4 4 days ago 


<missing> 4 days ago 
<missing> 4 days ago 
<missing> 4 days ago 


CREATED 
apt-get 
/bin/sh 
/bin/sh 
/bin/sh 
/bin/sh 
/bin/sh 


BY 

install figlet 

-c apt-get update 

-c #(nop) CMD ["/bin 
-c sed -i 's/*#\s*\( 
-c echo '#!/bin/sh' 
-c #(nop) ADD file:b 


e JSON syntax specifies an exact command to execute. 


187.8 MB 


- String syntax specifies a command to be wrapped within /bin/sh -c 
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CMD and ENTRYPOINT 


CMD and ENTRYPOINT 
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Lesson 10: CMD and ENTRYPOINT 


Objectives 
In this lesson, we will learn about two important Dockerfile commands: 
CMD and ENTRYPOINT. 


Those commands allow us to set the default command to run in a container. 
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CMD and ENTRYPOINT 


Defining a default command 


When people run our container, we want to greet them with a nice hello message, and 
using a custom font. 


For that, we will execute: 


figlet -f script hello 


- -f Script tells figlet to use a fancy font. 


e hello is the message that we want it to display. 
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CMD and ENTRYPOINT 


Adding CMD to our Docterfile 


Our new Dockerfile will look like this: 


FROM ubuntu 

RUN apt-get update 

RUN ["apt-get", "install", "figlet"] 
CMD figlet -f script hello 


+ (CMD defines a default command to run when none is given. 
+ — lt can appear at any point in the file. 
e Each CMD will replace and override the previous one. 


- Asaresult, while you can have multiple CMD lines, it is useless. 
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CMD and ENTRYPOINT 


Build and test our image 
Let's build it: 


$ docker build -t figlet . 
Successfully built 042dff3b4a8d 


And run it: 


$ docker run figlet 


/ / \ 


DA a i 


/N i? 
HAE 
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Overriding CMD 


If we want to get a shell into our container (instead of running f ig Let), we just have to 
specify a different program to run: 


$ docker run -it figlet bash 
root@/ac86a641116:/# 


+ We specified bash. 


+ It replaced the value of CMD. 
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CMD and ENTRYPOINT 


Using ENTRYPOINT 


We want to be able to specify a different message on the command line, while retaining 
figlet and some default parameters. 


In other words, we would like to be able to do this: 


$ docker run figlet salut 


Lt À 
VAZI 


a j| 6 


We will use the ENTRYPOINT verb in Dockerfile. 
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CMD and ENTRYPOINT 


Adding ENTRYPOINT to our Dockerfile 


Our new Dockerfile will look like this: 


FROM ubuntu 

RUN apt-get update 

RUN ["apt-get", "install", "figlet"] 
ENTRYPOINT ["figlet", "-f", "script"] 


ENTRYPOINT defines a base command (and its parameters) for the container. 
The command line arguments are appended to those parameters. 


Like CMD, ENTRYPOINT can appear anywhere, and replaces the previous value. 


Why did we use JSON syntax for our ENTRYPOINT? 
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CMD and ENTRYPOINT 


Implications of JSON vs string syntax 


When CMD or ENTRYPOINT use string syntax, they get wrapped in sh -c. 


To avoid this wrapping, you must use JSON syntax. 


What if we used ENTRYPOINT with string syntax? 


$ docker run figlet salut 


This would run the following command in the figlet image: 


sh -c "figlet -f script" salut 
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Build and test our image 
Let's build it: 


$ docker build -t figlet . 
Successfully built 36f588918d73 


And run it: 
$ docker run figlet salut 


/ 


r 


F / PA /| E 


Great success! 
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Using CMD and ENTRYPOINT together 


What if we want to define a default message for our container? 


Then we will use ENTRYPOINT and CMD together. 


ENTRYPOINT will define the base command for our container. 
CMD will define the default parameter(s) for this command. 


They both have to use JSON syntax. 
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CMD and ENTRYPOINT together 


Our new Dockerfile will look like this: 


FROM ubuntu 

RUN apt-get update 

RUN [“apt-get", "install", "figlet"l 
ENTRYPOINT ["figlet", "-f", "script"] 
CMD ["hello world"] 


+ ENTRYPOINT defines a base command (and its parameters) for the container. 


- If we don't specify extra command-line arguments when starting the container, 
the value of CMD is appended. 


e Otherwise, our extra command-line arguments are used instead of CMD. 
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CMD and ENTRYPOINT 


Build and test our image 


Let's build it: 


$ docker build -t figlet . 
Successfully built 6e0b6a048a07 


And run it: 


$ docker run figlet 


Oe ap MO Lk 
a X \/ 


/\ / | 2 L IZ AS / af 
| /| /\__/\_/\_/ VV XV / |; _/\_/\|_/ 

$ docker run figlet hola mundo 

i (NN J i "a V | / |Z / NN 
LAN <7 AN /l / | | E Wil; | LA, /N / 
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Overriding ENTRYPOINT 


What if we want to run a shell in our container? 


We cannot just do docker run figlet bash because that would just tell figlet to 
display the word "bash." 


We use the - -entrypoint parameter: 


$ docker run -it --entrypoint bash figlet 
root@6027e44e2955: /# 
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Copying files during the build 
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Lesson 11: Copying files during the build 
Objectives 
So far, we have installed things in our container images by downloading packages. 
We can also copy files from the build context to the container that we are building. 
Remember: the build context is the directory containing the Dockerfile. 


In this chapter, we will learn a new Dockerfile keyword: COPY. 
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Copying files during the build 


Build some C code 


We want to build a container that compiles a basic "Hello world" program in C. 


Here is the program, hel lo. C: 


int main () { 
puts("Hello, world!"); 
return 0; 


Let's create a new directory, and put this file in there. 


Then we will write the Dockerfile. 
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Copying files during the build 


The Dockerfile 


On Debian and Ubuntu, the package build-essential will get us a compiler. 


When installing it, don't forget to specify the -y flag, otherwise the build will fail (since 
the build cannot be interactive). 


Then we will use COPY to place the source file into the container. 


FROM ubuntu 

RUN apt-get update 

RUN apt-get install -y build-essential 
COPY hello.c / 

RUN make hello 

CMD /hello 


Create this Dockerfile. 
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Copying files during the build 


Testing our C program 


Create hel lo. c and Dockerfile in the same direcotry. 
Rundocker build -t hello . inthis directory. 


Run docker run hello, you should see Hello, world!. 


Success! 
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Copying files during the build 


COPY and the build cache 


Run the build again. 
Now, modify hello. c and run the build again. 
Docker can cache steps involving COPY. 


Those steps will not be executed again if the files haven't been changed. 
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Copying files during the build 


Details 


. You can COPY whole directories recursively. 


+ Older Dockerfiles also have the ADD instruction. 
It is similar but can automatically extract archives. 


- If we really wanted to compile C code in a compiler, we would: 


e Place it in a different directory, with the WORKD IR instruction. 
- Even better, use the gcc official image. 
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Advanced Dockerfiles 
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Lesson 12: Advanced Dockerfiles 
Objectives 


We have seen simple Dockerfiles to illustrate how Docker build container images. In this 
chapter, we will see: 


The syntax and keywords that can be used in Dockerfiles. 


Tips and tricks to write better Dockerfiles. 


Docker Fundamentals d7590d1 179 © 2015 Docker Inc 


Advanced Dockerfiles 


Dockerfile usage summary 


e Dockerfile instructions are executed in order. 
- Each instruction creates a new layer in the image. 


e Instructions are cached. If no changes are detected then the instruction is 
skipped and the cached layer used. 


e The FROM instruction MUST be the first non-comment instruction. 
- Lines starting with # are treated as comments. 


e You can only have one CMD and one ENTRYPOINT instruction in a 
Dockerfile. 
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Advanced Dockerfiles 


The FROM instruction 


+ Specifies the source image to build this image. 


e Must be the first instruction in the Dockerfile, except for comments. 
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The FROM instruction 


Can specify a base image: 


FROM ubuntu 

An image tagged with a specific version: 
FROM ubuntu:12.04 

A user image: 


FROM training/sinatra 


Or self-hosted image: 


FROM localhost:5000/funtoo 
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More about FROM 


The FROM instruction can be specified more than once to build multiple images. 


FROM ubuntu:14.04 
FROM fedora:20 


Each FROM instruction marks the beginning of the build of a new image. 
The -t command-line parameter will only apply to the last image. 


If the build fails, existing tags are left unchanged. 


An optional version tag can be added after the name of the image. 
E.g.: ubuntu: 14. 04. 
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A use case for multiple FROM lines 
Integrate Cl and unit tests in the build system 


FROM <baseimage> 

RUN <install dependencies> 

COPY <code> 

RUN <build code> 

RUN <install test dependencies> 
COPY <test data sets and fixtures> 
RUN <unit tests> 

FROM <baseimage> 

RUN <install dependencies> 

COPY <vcode> 

RUN <build code> 

CMD, EXPOSE ... 


The build fails as soon as an instructions fails 
If RUN <unit tests> fails, the build doesn't produce an image 


If it succeeds, it produces a clean image (without test libraries and data) 
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The MAINTAINER instruction 
The MAINTAINER instruction tells you who wrote the Dockerfile. 


MAINTAINER Docker Education Team <education@docker.com> 


It's optional but recommended. 
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The RUN instruction 


The RUN instruction can be specified in two ways. 


With shell wrapping, which runs the specified command inside a shell, with /bin/sh 
=C: 


RUN apt-get update 


Or using the exec method, which avoids shell string expansion, and allows execution in 
images that don't have /bin/sh: 


RUN [ "apt-get", "update" ] 
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More about the RUN instruction 
RUN will do the following: 


Execute a command. 
Record changes made to the filesystem. 


Work great to install libraries, packages, and various files. 
RUN will NOT do the following: 


Record state of processes. 


Automatically start daemons. 


If you want to start something automatically when the container runs, you should use 
CMD and/or ENTRYPOINT. 
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Collapsing layers 
It is possible to execute multiple commands in a single step: 
RUN apt-get update && apt-get install -y wget && apt-get clean 
It is also possible to break a command onto multiple lines: 
It is possible to execute multiple commands in a single step: 


RUN apt-get update \ 
&& apt-get install -y wget \ 
&& apt-get clean 
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The EXPOSE instruction 


The EXPOSE instruction tells Docker what ports are to be published in this image. 


EXPOSE 8080 
EXPOSE 80 443 
EXPOSE 53/tcp 53/udp 


All ports are private by default. 
The Docker file doesn't control if a port is publicly available. 


When you docker run -p <port> ..., that port becomes public. 
(Even it it was not declared with EXPOSE.) 


When you docker run -P ... (without port number), all ports declared 
with EXPOSE become public. 


A public port is reachable from other containers and from outside the host. 


A private port is not reachable from outside. 
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The COPY instruction 


The COPY instruction adds files and content from your host into the image. 


COPY . /src 


This will add the contents of the build context (the directory passed as an argument to 
docker build) to the directory /src in the container. 


Note: you can only reference files and directories inside the build context. Absolute 
paths are taken as being anchored to the build context, so the two following lines are 
equivalent: 


COPY . /src 
COPY / /src 


Attempts to use . . to get out of the build context will be detected and blocked with 
Docker, and the build will fail. 


Otherwise, a Docker file could succeed on host A, but fail on host B. 
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ADD 


ADD works almost like COPY, but has a few extra features. 
ADD can get remote files: 
ADD http://www.example.com/webapp. jar /opt/ 
This would download the webapp. jar file and place it in the /opt directory. 
ADD will automatically unpack zip files and tar archives: 
ADD ./assets.zip /var/www/htdocs/assets/ 


This would unpack assets. Zip into /var/www/htdocs/assets. 


However, ADD will not automatically unpack remote archives. 
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ADD, COPY, and the build cache 


For most Dockerfiles instructions, Docker only checks if the line in the Dockerfile 
has changed. 


For ADD and COPY, Docker also checks if the files to be added to the container 
have been changed. 


ADD always need to download the remote file before it can check if it has been 
changed. (It cannot use, e.g., ETags or If-Modified-Since headers.) 
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VOLUME 


The VOLUME instruction tells Docker that a specific directory should be a volume. 


VOLUME /var/lib/mysql 


Filesystem access in volumes bypasses the copy-on-write layer, offering native 
performance to I/O done in those directories. 


Volumes can be attached to multiple containers, allowing to "port" data over from a 
container to another, e.g. to upgrade a database to a newer version. 


It is possible to start a container in "read-only" mode. The container filesystem will be 
made read-only, but volumes can still have read/write access if necessary. 
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The WORKD IR instruction 


The WORKDIR instruction sets the working directory for subsequent instructions. 


It also affects CMD and ENTRYPOINT, since it sets the working directory used when 
starting the container. 


WORKDIR /src 


You can specify WORKDIR again to change the working directory for further operations. 
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The ENV instruction 


The ENV instruction specifies environment variables that should be set in any container 
launched from the image. 


ENV WEBAPP_PORT 8080 


This will result in an environment variable being created in any containers created from 
this image of 


WEBAPP_ PORT=8080 


You can also specify environment variables when you use docker run. 


$ docker run -e WEBAPP PORT=8000 -e WEBAPP HOST=www.example.com ... 
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The USER instruction 


The USER instruction sets the user name or UID to use when running the image. 


It can be used multiple times to change back to root or to another user. 
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The CMD instruction 


The CMD instruction is a default command run when a container is launched from the 
image. 


CMD [ "nginx", "-g", "daemon off;" ] 


Means we don't need to specify nginx -g "daemon off," when running the 
container. 


Instead of: 
$ docker run <dockerhubUsername>/web image nginx -g "daemon off;" 
We can just do: 


$ docker run <dockerhubUsername>/web image 
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More about the CMD instruction 
Just like RUN, the CMD instruction comes in two forms. The first executes in a shell: 


CMD nginx -g "daemon off;" 


The second executes directly, without shell processing: 


CMD [ "nginx", "-g", "daemon off;" ] 
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Overriding the CMD instruction 
The CMD can be overridden when you run a container. 


$ docker run -it <dockerhubUsername>/web image bash 


Will run bash instead of nginx -g "daemon off;". 
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The ENTRYPOINT instruction 


The ENTRYPOINT instruction is like the CMD instruction, but arguments given on the 
command line are appended to the entry point. 


Note: you have to use the "exec" syntax ([ "..." J). 


ENTRYPOINT [ "/bin/ts" ] 


If we were to run: 


$ docker run training/ls -l 


Instead of trying to run - l, the container will run /bin/ls -L 
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Overriding the ENTRYPOINT instruction 


The entry point can be overriden as well. 


$ docker run -it training/ls 

bin dev home 1ib64 mnt proc run srv tmp var 
boot etc lib media opt root sbin sys usr 

$ docker run -it --entrypoint bash training/1s 
root@d902fb7b1fc7:/# 
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How CMD and ENTRYPOINT interact 
The CMD and ENTRYPOINT instructions work best when used together. 


ENTRYPOINT [ "nginx" ] 
CMD [ "-g", “daemon off," ] 


The ENTRYPOINT specifies the command to be run and the CMD specifies its options. 
On the command line we can then potentially override the options when needed. 


$ docker run -d <dockerhubUsername>/web image -t 


This will override the options CMD provided with new flags. 
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Advanced Dockerfile instructions 


ONBUILD lets you stash instructions that will be executed when this image is 
used as a base for another one. 


LABEL adds arbitrary metadata to the image. 

ARG defines build-time variables (optional or mandatory). 

STOPSIGNAL sets the signal for docker stop (TERM by default). 
HEALTHCHECK defines a command assessing the status of the container. 


SHELL sets the default program to use for string-syntax RUN, CMD, etc. 
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The ONBUILD instruction 


The ONBUILD instruction is a trigger. It sets instructions that will be executed when 
another image is built from the image being build. 


This is useful for building images which will be used as a base to build other images. 
ONBUILD COPY . /src 


You can't chain ONBULLD instructions with ONBUILD. 
ONBUILD can't be used to trigger FROM and MAINTAINER instructions. 
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Building an efficient Dockerfile 


Each line ina Dockerfile creates a new layer. 
Build your Docker file to take advantage of Docker's caching system. 


Combine multiple similar commands into one by using & to continue 
commands and \ to wrap lines. 


COPY dependency lists (package. json, requirements. txt, etc.) by 
themselves to avoid reinstalling unchanged dependencies every time. 
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Example "bad" Dockerfile 


The dependencies are reinstalled every time, because the build system does not know if 
requirements. txt has been updated. 


FROM python 

MAINTAINER Docker Education Team <education@docker. com> 
COPY . /src/ 

WORKDIR /src 

RUN pip install -qr requirements.txt 

EXPOSE 5000 

CMD ["python", "app.py"J 
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Fixed Dockerfile 


Adding the dependencies as a separate step means that Docker can cache more 
efficiently and only install them when requirements. txt changes. 


FROM python 

MAINTAINER Docker Education Team <education@docker. com> 
COPY ./requirements.txt /tmp/requirements.txt 

RUN pip install -qr /tmp/requirements.txt 

COPY . /src/ 

WORKDIR /src 

EXPOSE 5000 

CMD ["python", "“app.py"] 
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A quick word about the Docker Hub 


Docker Fundamentals d7590d1 208 © 2015 Docker Inc 


A quick word about the Docker Hub 


Lesson 13: Uploading our images to the Docker Hub 
We have built our first images. 
If we were so inclined, we could share those images through the Docker Hub. 


We won't do it since we don't want to force everyone to create a Docker Hub account 
(although it's free, yay!) but the steps would be: 


e have an account on the Docker Hub 
e tag our image accordingly (i.e. use rname/ imagename) 


e docker push username/imagename 


Anybody can now docker run username/imagename from any Docker host. 


Images can be set to be private as well. 
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Lesson 14: Naming and inspecting containers 
Objectives 
In this lesson, we will learn about an important Docker concept: container naming. 


Naming allows us to: 


- Reference easily a container. 


- Ensure unicity of a specific container. 


We will also see the inspect command, which gives a lot of details about a container. 
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Naming our containers 
So far, vve have referenced containers vvith their ID. 
VVe have copy-pasted the ID, or used a shortened prefix. 
But each container can also be referenced by its name. 
If a container is named prod - db, | can do: 


$ docker logs prod-db 
$ docker stop prod-db 
etc. 
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Default names 


When we create a container, if we don't give a specific name, Docker will pick one for us. 


It will be the concatenation of: 


+ A mood (furious, goofy, suspicious, boring...) 


e The name of a famous inventor (tesla, darwin, wozniak...) 


Examples: happy curie, clever hopper, jovial lovelace... 
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Specifying a name 
You can set the name of the container vvhen you create it. 


$ docker run --name ticktock jpetazzo/clock 


If you specify a name that already exists, Docker will refuse to create the container. 


This lets us enforce unicity of a given resource. 
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Renaming containers 


e You can rename containers with docker rename. 


e This allows you to "free up" a name without destroying the associated container. 
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Inspecting a container 
The docker inspect command will output a very detailed JSON map. 


$ docker inspect <containerID> 


"AppArmorProfile": "", 
"Args": [], 


"AttachStderr": true, 
"AttachStdin": false, 
"AttachStdout": true, 
"Cmd": [ 


], 
"CpuShares": 0, 


There are multiple ways to consume that information. 


Docker Fundamentals d7590d1 216 © 2015 Docker Inc 


Naming and inspecting containers 


Parsing JSON vvith the Shell 


You could grep and cut or awk the output of docker inspect. 


Please, don't. 
It's painful. 


If you ayy must parse JSON from the Shell, use JQ! 
(It's great 


$ docker inspect <containerID> | jq . 


We will see a better solution which doesn't require extra tools. 
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Using - - format 
You can specify a format string, which will be parsed by Go's text/template package. 


$ docker inspect --format '{{ json .Created }}' <containerID> 
"2015-02-24T07:21:11. 7122403942" 


+ The generic syntax is to wrap the expression with double curly braces. 
+ The expression starts with a dot representing the JSON object. 
e Then each field or member can be accessed in dotted notation syntax. 


e The optional j Son keyword asks for valid JSON output. 
(e.g. here it adds the surrounding double-quotes.) 
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Lesson 15: Container Networking Basics 
Objectives 
We will now run network services (accepting requests) in containers. 


At the end of this lesson, you will be able to: 


e Run a network service in a container. 
- Manipulate container networking basics. 


e Finda container's IP address. 


We will also explain the different network models used by Docker. 
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A simple, static web server 
Run the Docker Hub image nginx, which contains a basic web server: 


$ docker run -d -P ngi 
é6b1ce719198711202c8934484a7b68c3876cf9167015e752b94e189d35a204e 


+ Docker will download the image from the Docker Hub. 
. -d tells Docker to run the image in the background. 


+ -P tells Docker to make this service reachable from other computers. 
(- P is the short version of - -publish-all.) 


But, how do we connect to our web server now? 
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Finding our web server port 


We will use docker ps: 


$ docker ps 
CONTAINER ID IMAGE ... PORTS 
e40ffb406c9e nginx ... 0.0.0.0:32769->80/tcp, 0.0.0.0:32768->443/tcp 


- The web server is running on ports 80 and 443 inside the container. 


- Those ports are mapped to ports 32769 and 32768 on our Docker host. 


We will explain the whys and hows of this port mapping. 


But first, let's make sure that everything works properly. 
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Connecting to our web server (GUI) 


Point your browser to the IP address of your Docker host, on the port shown by 
docker ps for container port 80. 


|) Welcome to nginx! x ie 


€e C | 52.10.123.64:32769 


Welcome to nginx! 


If you see this page, the nginx web server is successfully installed and 
working. Further configuration is required. 


For online documentation and support please refer to nginx.org. 
Commercial support is available at nginx.com. 


Thank you for using nginx. 
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Connecting to our web server (CLI) 


You can also use curl directly from the Docker host. 


Make sure to use the right port number if it is different from the example below: 


$ curl localhost:32769 

<!DOCTYPE html> 

<html> 

<head> 

<title>Welcome to nginx!</title> 


Docker Fundamentals d7590d1 224 © 2015 Docker Inc 


Container Networking Basics 


Why are we mapping ports? 


+ Weare out of IPv4 addresses. 

+ Containers cannot have public IPv4 addresses. 
- They have private addresses. 

- Services have to be exposed port by port. 


e Ports have to be mapped to avoid conflicts. 
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Finding the web server port in a script 
Parsing the output of docker ps would be painful. 
There is a command to help us: 


$ docker port <containerID> 80 
32769 
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Manual allocation of port numbers 
If you want to set port numbers yourself, no problem: 


$ docker run -d -p 80:80 nginx 
$ docker run -d -p 8000:80 nginx 
$ docker run -d -p 8080:80 -p 8888:80 nginx 


- Weare running two NGINX web servers. 
- The first one is exposed on port 80. 
+ Thesecond one is exposed on port 8000. 


e The third one is exposed on ports 8080 and 8888. 


Note: the convention is port -on-host:port-on-container. 
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Plumbing containers into your infrastructure 


There are many ways to integrate containers in your network. 


- Start the container, letting Docker allocate a public port for it. 
Then retrieve that port number and feed it to your configuration. 


e Pick a fixed port number in advance, when you generate your configuration. 
Then start your container by setting the port numbers manually. 


+ Use a network plugin, connecting your containers with e.g. VLANs, tunnels... 


e Enable Swarm Mode to deploy across a cluster. 
The container will then be reachable through any node of the cluster. 
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Finding the container's IP address 
We can use the docker inspect command to find the IP address of the container. 


$ cys gene --format '{{ .NetworkSettings.IPAddress }}' <yourContainerID> 
172.17.0. 


e docker inspect is an advanced command, that can retrieve a ton of 
information about our containers. 


- Here, we provide it with a format string to extract exactly the private IP address 
of the container. 
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Pinging our container 


We can test connectivity to the container using the IP address we've just discovered. 
Let's see this now by using the ping tool. 


$ ping <ipAddress> 

64 bytes from <ipAddress>: icmp req=1 ttl-64 time=0.085 ms 
64 bytes from <ipAddress>: icmp req=2 ttl=64 time=0.085 ms 
64 bytes from <ipAddress>: icmp req=3 ttl=64 time=0.085 ms 
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The different network drivers 


A container can use one of the following drivers: 


e bridge (default) 
+ none 
+ host 


e container 


The driver is selected with docker run --net 
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The default bridge 


By default, the container gets a virtual et hO interface. 
(In addition to its own private Lo loopback interface.) 


That interface is provided by a veth pair. 


It is connected to the Docker bridge. 
(Named docker0 by default; configurable with - - bridge.) 


Addresses are allocated on a private, internal subnet. 
(Docker uses 172.17.0.0/16 by default; configurable with - - bip.) 


Outbound traffic goes through an iptables MASQUERADE rule. 
Inbound traffic goes through an iptables DNAT rule. 


The container can have its own routes, iptables rules, etc. 
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The null driver 


e Container is started with docker run --net none 
e It only gets the Lo loopback interface. No et hO. 
e It can't send or receive network traffic. 


e Useful for isolated/untrusted workloads. 


Docker Fundamentals d7590d1 233 © 2015 Docker Inc 


Container Networking Basics 


The host driver 


e Container is started with docker run --net host 

- It sees (and can access) the network interfaces of the host. 

e — lt can bind any address, any port (for ill and for good). 

e Network traffic doesn't have to go through NAT, bridge, or veth. 


e Performance = native! 
Use cases: 


e Performance sensitive applications (VOIP, gaming, streaming...) 


+ Peer discovery (e.g. Erlang port mapper, Raft, Serf...) 
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The container driver 


e Container is started with docker run --net container:id 
e Itre-uses the network stack of another container. 


e — It shares with this other container the same interfaces, IP address(es), routes, 
iptables rules, etc. 


e Those containers can communicate over their Lo interface. 
(i.e. one can bind to 127.0.0.1 and the others can connect to it.) 
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Section summary 


We've learned how to: 


- Expose a network port. 
- Manipulate container networking basics. 


e Finda container's IP address. 


In the next chapter, we will see how to connect containers together without exposing 
their ports. 
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The Container Network Model 
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Lesson 16: The Container Network Model 
Objectives 
We will learn about the CNM (Container Network Model). 


At the end of this lesson, you will be able to: 


Create a private network for a group of containers. 
Use container naming to connect services together. 
Dynamically connect and disconnect containers to networks. 


Set the IP address of a container. 


We will also explain the principle of overlay networks and network plugins. 
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The Container Network Model 
The CNM was introduced in Engine 1.9.0 (November 2015). 


The CNM adds the notion of a network, and a new top-level command to manipulate 
and see those networks: docker network. 


$ docker network ls 


NETWORK ID NAME DRIVER 
6bde79dfcf70 bridge bridge 
8d9c78725538 none null 
eb0eeab782f4 host host 
4c1ff84d6d3f blog-dev overlay 
228a4355d548 blog-prod overlay 
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What's in a network? 


e Conceptually, a network is a virtual switch. 

+ Itcan be local (to a single Engine) or global (across multiple hosts). 
«A network has an IP subnet associated to it. 

+ Anetwork is managed by a driver. 

«A network can have a custom IPAM (IP allocator). 

+ Containers with explicit names are discoverable via DNS. 

- All the drivers that we have seen before are available. 

+ Anew multi-host driver, overlay, is available out of the box. 


- More drivers can be provided by plugins (OVS, VLAN...) 
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Creating a network 
Let's create a network called dev. 


$ docker network create dev 
4clf f84d6d3 f1733d3e233ee039cac276f425a9d5228a4355d54878293a889ba 


The network is now visible with the network ls command: 


$ docker network ls 


NETWORK ID NAME DRIVER 
6bde79dfcf70 bridge bridge 
8d9c78725538 none null 
eb0eeab782f4 host host 
4c1ff84d6d3f dev bridge 
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Placing containers on a network 


We will create a named container on this network. 


It will be reachable with its name, search. 


$ docker run -d --name search --net dev elasticsearch 
8abb80e229ce8926c7223beb6969915f34d6f 1d438bf.c5682db893e798046863 
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Communication between containers 


Now, create another container on this network. 


$ docker run -ti --net dev alpine sh 
root@0ecccdfa45ef : /# 


From this new container, we can resolve and ping the other one, using its assigned 
name: 


/ # ping search 

PING search (172.18.0.2) 56(84) bytes of data. 

64 bytes from search.dev (172.18.0.2): icmp seq=1 ttl=64 time=0.221 ms 
64 bytes from search.dev (172.18.0.2): icmp seq=2 ttl=64 time=0.114 ms 
ae bytes from search.dev (172.18.0.2): icmp seq=3 ttl=64 time=0.114 ms 


--- search ping statistics --- 

3 packets transmitted, 3 received, 0% packet loss, time 2000ms 
rtt min/avg/max/mdev = 0.114/0.149/0.221/0.052 ms 
root@0ecccdfa45ef : /# 
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Resolving container addresses 


In Docker Engine 1.9, name resolution is implemented with /etc/hosts, and updating 
it each time containers are added/removed. 


SC, / 14 cat /etc/hosts 
172.18.0. = Oecccdfa45ef 
127. J 0. localhost 

:1 eaea ip6-localhost ip6-loopback 
fe00: :0 ip6-localnet 


ff00::0 ip6-mcastprefix 
ff02::1 ip6-allnodes 
ff02::2 ip6-allrouters 
172.18.0.2 search 


172.18.0.2 search.dev 


In Docker Engine 1.10, this has been replaced by a dynamic resolver. 


(This avoids race conditions when updating /etc/hosts.) 


Docker Fundamentals d7590d1 244 © 2015 Docker Inc 


The Container Network Model 


Connecting multiple containers together 


e Let's try to run an application that requires two containers. 
e The first container is a web server. 
+ The other one is a redis data store. 


+ We will place them both on the dev network created before. 
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Running the web server 


- The application is provided by the container image j petazzo/ 
trainingvheels. 


e We don't know much about it so we will try to run it and see what happens! 


Start the container, exposing all its ports: 


$ docker run --net dev -d -P jpetazzo/trainingwheels 


Check the port that has been allocated to it: 


$ docker ps -l 
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Test the web server 


- — If we connect to the application now, we will see an error page: 


Error -2 connecting to redis:6379. Name or service not known. 


+ This is because the Redis service is not running. 


e This container tries to resolve the name redis. 


Note: we're not using a FQDN or an IP address here; just redis. 
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Start the data store 


e We need to start a Redis container. 
e That container must be on the same network as the web server. 


e It must have the right name (redis) so the application can find it. 


Start the container: 


$ docker run --net dev --name redis -d redis 
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Test the web server again 


If we connect to the application now, we should see that the app is working 
correctly: 


Training wheels 


This request was served by f927b966d8e5. 


f927b966d8e5 served 1 request so far. 


The current ladder is: 


When the app tries to resolve redis, instead of getting a DNS error, it gets the 
IP address of our Redis container. 
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A few words on scope 


e What if we want to run multiple copies of our application? 


+ Since names are unique, there can be only one container named redis ata 
time. 


+ We can specify - -net -alias to define network-scoped aliases, 
independently of the container name. 


Let's remove the redis container: 
$ docker rm -f redis 

And create one that doesn't block the redis name: 
$ docker run --net dev --net-alias redis -d redis 


Check that the app still works (but the counter is back to 1, since we wiped out the old 
Redis container). 
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Names are local to each network 


Let's try to ping our Search container from another container, when that other 
container is not on the dev network. 


$ docker run --rm alpine ping search 
ping: bad address 'search' 


Names can be resolved only when containers are on the same network. 


Containers can contact each other only when they are on the same network (you can 
try to ping using the IP address to verify). 
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Network aliases 


We would like to have another network, prod, with its own search container. But 
there can be only one container named search! 


We will use network aliases. 

A container can have multiple network aliases. 

Network aliases are local to a given network (only exist in this network). 

Multiple containers can have the same network alias (even on the same network). In 


Docker Engine 1.11, resolving a network alias yields the IP addresses of all containers 
holding this alias. 
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Creating containers on another network 
Create the prod network. 


$ docker create network prod 
2ad1562fect2d8f115bedc16865*7336232a04268bdf2bd816aeccad1b68d50c 


We can now create multiple containers with the search alias on the new prod 
network. 


$ docker run -d --name prod-es-1 --net-alias search --net prod elasticsearch 
38079d21cat@c5533a301700d9e9e920724e89200083d"73211081¢8a356d771 
$ docker run -d --name prod-es-2 --net-alias search --net prod elasticsearch 
1820087a9c600 4315968805 0dcc 164c298183e 142662456094 fd46b16a€ 3bc3d 
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Resolving network aliases 


Let's try DNS resolution first, using the ns Lookup tool that ships with the alpine 
image. 


$ docker run --net prod --rm alpine nslookup search 
Name: search 

Address 1: 172.23.0.3 prod-es-2.prod 

Address 2: 172.23.0.2 prod-es-1.prod 


(You can ignore the can't resolve ' (null) ' errors.) 
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Connecting to aliased containers 


Each ElasticSearch instance has a name (generated when it is started). This name can be 
seen when we issue a simple HTTP request on the ElasticSearch API endpoint. 


Try the following command a few times: 


$ docker run --rm --net dev centos curl -s search:9200 
"name" : "Tarot", 


Then try it a few times by replacing --net dev with --net prod: 


$ docker run --rm --net prod centos curl -s search:9200 


"name" : "The Symbiote", 
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Good to know … 


+ Docker will not create network names and aliases on the default bridge 
network. 


- Therefore, if you want to use those features, you have to create a custom 
network first. 


e Network aliases are not unique: you can give multiple containers the same alias 
on the same network. 


- In Engine 1.10: one container will be selected and only its IP address will 
be returned when resolving the network alias. 


- In Engine 1.11: when resolving the network alias, the DNS reply includes 
the IP addresses of all containers with this network alias. This allows 
crude load balancing across multiple containers (but is not a substitute 
for a real load balancer). 


e In Engine 1.12: enabling Swarm Mode gives access to clustering features, 
including an advanced load balancer using Linux IPVS. 


+ Creation of networks and network aliases is generally automated with tools like 
Compose (covered in a few chapters). 
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A few words about round robin DNS 


Don't rely exclusively on round robin DNS to achieve load balancing. 


Many factors can affect DNS resolution, and you might see: 


all traffic going to a single instance; 

traffic being split (unevenly) between some instances; 
different behavior depending on your application language; 
different behavior depending on your base distro; 


different behavior depending on other factors (sic). 


It's OK to use DNS to discover available endpoints, but remember that you have to re- 
resolve every now and then to discover new endpoints. 
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Custom networks 


e When creating a network, extra options can be provided. 


e --internal disables outbound traffic (the network won't have a default 
gateway). 

e - -gateway indicates which address to use for the gateway (when utbound 
traffic is allowed). 

e --sSubnet (in CIDR notation) indicates the subnet to use. 

e --1p- range (in CIDR notation) indicates the subnet to allocate from. 

e --aux-address allows to specify a list of reserved addresses (which won't be 


allocated to containers). 
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Setting containers’ IP address 


e Itis possible to set a container's address with - - ip. 


e The IP address has to be within the subnet used for the container. 


A full example would look like this. 


$ docker network create --subnet 10.66.0.0/16 pubnet 
42b16ec#12383db6289a3e39¢3c02241395d7 185bcb1859b279e7a564d4e 135 
$ docker run --net pubnet --ip 10.66.66.66 -d ngi 
b2887adeb5578a01fd9¢55c435cad56bbbe802350711d274360195743680b09 


Note: don't hard code container IP addresses in your code! 


| repeat: don't hard code container IP addresses in your code! 
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Overlay networks 


- The features we've seen so far only work when all containers are on a single 
host. 


- If containers span multiple hosts, we need an overlay network to connect them 
together. 


+ Docker ships with a default network plugin, over Lay, implementing an overlay 
network leveraging VXLAN. 


+ Other plugins (Weave, Calico...) can provide overlay networks as well. 


+ Once you have an overlay network, all the features that we've used in this chapter 
work identically. 
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Multi-host networking (overlay) 


Out of the scope for this intro-level workshop! 


Very short instructions: 


e enable Swarm Mode (docker swarm init then docker swarm joinon 
other nodes) 


e docker network create mynet --driver overlay 


e docker service create --network mynet myimage 


See http://jpetazzo.github.io/orchestration-workshop for all the deets about clustering! 
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Multi-host networking (plugins) 
Out of the scope for this intro-level workshop! 


General idea: 


install the plugin (they often ship within containers) 


run the plugin (if it's in a container, it will often require extra parameters; don't 
just docker run it blindly!) 


some plugins require configuration or activation (creating a special file that tells 
Docker "use the plugin whose control socket is at the following location") 


you can then docker network create --driver pluginname 
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Section summary 


We've learned how to: 


+ Create private networks for groups of containers. 
- Assign IP addresses to containers. 


e Use container naming to implement service discovery. 
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Connecting Containers With Links 
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Lesson 17: Connecting containers with links 
Objectives 


Links were the "legacy" way of connecting containers (before the implementation of 
the CNM). 


They are still useful in some scenarios. 
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How links work 


e Links are created between two containers 
e Links are created from the client to the server 
e Links associate an arbitrary name to an existing container 


- Links exist only in the context of the client 
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The plan 


e We will create the redis container first. 
+ Then, we will create the www container, with a link to the previous container. 


e We don't need to use a custom network for this to work. 
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Create the redis container 
Let's launch a container from the redis image. 


$ docker run -d --name datastore redis 
<yourContainerID> 


Let's check the container is running: 


$ docker ps -l 
CONTAINER ID IMAGE COMMAND ewa PORTS NAMES 
9efd72a4f320 redis:latest redis-server Fe 6379/tcp datastore 


e Our container is launched and running an instance of Redis. 


- We used the - - name flag to reference our container easily later. 


e We could have used any name we wanted. 
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Create the www container 


If we create the web container without any extra option, it will not be able to connect to 
redis. 


$ docker run -dP jpetazzo/trainingwheels 


Check the port number with docker ps, and connect to it. 


We get the same red error page as before. 
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How our app connects to Redis 
Remember, in the code, we connect to the name redis: 
redis = redis.Redis("redis") 


- This means "try to connect to 'redis'". 
e Not 192.168.123.234. 


e Not redis.prod.mycompany.net. 


Obviously it doesn't work. 
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Creating a linked container 


Docker allows to specify links. 
Links indicate an intent: "this container will connect to this other container: 
Here is how to create our first link: 


$ docker run -ti --link datastore:redis alpine sh 


In this container, we can communicate with datastore using the redis DNS alias. 
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DNS 


Docker has created a DNS entry for the container, resolving to its internal IP address. 


$ docker run -it --link datastore:redis alpine ping redis 

PING redis (172.17.0.29): 56 data bytes 

64 bytes from 172.17.0.29: icmp seq=0 ttl=64 time=0.164 ms 
64 bytes from 172.17.0.29: icmp seq=1 ttl=64 time=0.122 ms 
64 bytes from 172.17.0.29: icmp seq=2 ttl=64 time=0.086 ms 
“C--- redis ping statistics --- 

3 packets transmitted, 3 packets received, 0% packet loss 

round-trip min/avg/max/stddev = 0.086/0.124/0.164/0.032 ms 


- The - - Link flag connects one container to another. 


e We specify the name of the container to link to, datastore, and an alias for 
the link, redis, in the format name: alias. 
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Starting our application 
Now that we've poked around a bit let's start the application itself in a fresh container: 


$ docker run -d -P --link datastore:redis jpetazzo/trainingwheels 


Now let's check the port number associated to the container. 


$ docker ps -l 


Docker Fundamentals d7590d1 273 © 2015 Docker Inc 


Connecting Containers With Links 


Confirming that our application works properly 
Finally, let's browse to our application and confirm it's working. 


http://<yourHostIP>:<port> 
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Links and environment variables 


In addition to the DNS information, Docker will automatically set environment variables 
in our container, giving extra details about the linked container. 


$ docker run --link datastore:redis alpine env 
PATH-/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 
HOSTNAME-0738e57b771e 

REDIS PORT=tcp://172.17.0.120:6379 

REDIS PORT 6379 TCP=tcp://172.17.0.120:6379 

REDIS PORT 6379 TCP ADDR=172.17.0.120 

REDIS PORT 6379 TCP PORT=6379 

REDIS PORT 6379 TCP PROTO-tcp 

REDIS NAME=/dreamy wilson/redis 

REDIS ENV REDIS VERSION=2.8.13 

REDIS ENV REDIS DOWNLOAD URL=http://download.redis.io/releases/redis-2.8.13.tar.gz 
REDIS ENV REDIS DOWNLOAD SHA1=a72925a35849eb2d38a1ea076a3db82072d4ee43 
HOME-/ 

RUBY MAJOR=2.1 

RUBY VERSION=2.1.2 


e Each variables is prefixed with the link alias: redis. 


e Includes connection information PLUS any environment variables set in the 
datastore container via ENV instructions. 
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Differences between network aliases and links 


e With network aliases, you can start containers in any order. 
e With links, you have to start the server (in our example: Redis) first. 


e With network aliases, you cannot change the name of the server once it is 
running. If you want to add a name, you have to create a new container. 


e With links, you can give new names to an existing container. 
+ Network aliases require the use of a custom network. 

e Links can be used on the default bridge network. 

e Network aliases work across multi-host networking. 


e Links (as of Engine 1.11) only work with local containers (but this might be 
changed in the future). 


e Network aliases don't populate environment variables. 


- Links give access to the environment of the target container. 
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Section summary 


We've learned how to: 


e Create links between containers. 


e Use names and links to communicate across containers. 
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Lesson 18: Ambassadors 
Objectives 
At the end of this lesson, you will be able to understand the ambassador pattern. 


Ambassadors abstract the connection details for your services: 


e discovery (where is my service actually running?) 
e migration (what if my service has to be moved while | use it?) 


e fail over (what if my service has a replication system, and | need to connect to 
the right instance?) 


+ load balancing (what if there are multiple instances of my service?) 


e authentication (what if my service requires credentials, certificates, or 
otherwise?) 
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Ambassadors 


VVe've already seen a couple of vvays vve can manage our application architecture in 
Docker. 


e With network aliases. 


e With links. 


We're now going to see a pattern for service portability we call: ambassadors. 
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Ambassadors 
Introduction to Ambassadors 
The ambassador pattern: 


+ Takes advantage of Docker's per-container naming system and abstracts 
connections between services. 


+ Allows you to manage services without hard-coding connection information 
inside applications. 


To do this, instead of directly connecting containers you insert ambassador containers. 
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Interacting vvith ambassadors 


- The web application container uses normal Docker networking to connect to the 
ambassador. 


e The database container also talks with an ambassador. 


e For both containers, there is no difference between normal operation and 
operation with ambassador containers. 


- If the database container is moved (or a failover happens), its new location will 


be tracked by the ambassador containers, and the web application container will 
still be able to connect, without reconfiguration. 
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Ambassadors for simple service discovery 


Use case: 


my application code connects to redis on the default port (6379), 
my Redis service runs on another machine, on a non-default port (e.g. 12345), 


| want to use an ambassador to let my application connect without modification. 
The ambassador will be: 


a container running right next to my application, 
using the name redis (or linked as redis), 
listening on port 6379, 


forwarding connections to the actual Redis service. 
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Ambassadors for service migration 


Use case: 


. my application code still connects to redis, 

+ my Redis service runs somewhere else, 

- my Redis service is moved to a different host+port, 

e the location of the Redis service is given to me via e.g. DNS SRV records, 


e | want to use an ambassador to automatically connect to the new location, with 
as little disruption as possible. 


The ambassador will be: 


e the same kind of container as before, 
e running an additional routine to monitor DNS SRV records, 


e updating the forwarding destination when the DNS SRV records are updated. 


Docker Fundamentals d7590d1 285 © 2015 Docker Inc 


Ambassadors 


Ambassadors for credentials injection 


Use case: 


. my application code still connects to redis, 

e my application code doesn't provide Redis credentials, 
e my production Redis service requires credentials, 

+ my staging Redis service requires different credentials, 


e | want to use an ambassador to abstract those credentials. 
The ambassador will be: 


e — a container using the name redis (or a link), 
e passed the credentials to use, 
e running a custom proxy that accepts connections on Redis default port, 


e performing authentication with the target Redis service before forwarding traffic. 
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Ambassadors for load balancing 


Use case: 


my application code connects to a vveb service called api, 
| want to run multiple instances of the api backend, 
those instances will be on different machines and ports, 


| want to use an ambassador to abstract those details. 
The ambassador will be: 


a container using the name api (or a link), 
passed the list of backends to use (statically or dynamically), 
running a load balancer (e.g. HAProxy or NGINX), 


dispatching requests across all backends transparently. 
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"Ambassador" is a pattern 


There are many ways to implement the pattern. 


Different deployments will use different underlying technologies. 


+ On-premise deployments with a trusted network can track container locations 
in e.g. Zookeeper, and generate HAproxy configurations each time a location key 
changes. 


e Public cloud deployments or deployments across unsafe networks can add TLS 
encryption. 


e Ad-hoc deployments can use a master-less discovery protocol like avahi to 
register and discover services. 


- Itis also possible to do one-shot reconfiguration of the ambassadors. It is 
slightly less dynamic but has much less requirements. 


e Ambassadors can be used in addition to, or instead of, overlay networks. 
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Section summary 


VVe've learned hov to: 
e Understand the ambassador pattern and what it is used for (service portability). 


For more information about the ambassador pattern, including demos on Swarm and 
ECS: 


e AWS re:invent 2015 DVO317 


e SwarmWeek video about Swarm+Compose 
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Local Development Workflow with Docker 
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Lesson 19: Local Development Workflow with Docker 
Objectives 


At the end of this lesson, you will be able to: 


Share code between container and host. 


Use a simple local development workflow. 
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Using a Docker container for local development 


Never again: 


- "Works on my machine" 
- "Not the same version" 


e "Missing dependency" 


By using Docker containers, we will get a consistent development environment. 
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Our "namer" application 
+ The code is available on https://github.com/jpetazzo/namer. 


- The image jpetazzo/namer is automatically built by the Docker Hub. 


Let's run it with: 


$ docker run -dP jpetazzo/namer 


Check the port number with docker ps and open the application. 
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Let's look at the code 
Let's download our application's source code. 


$ git clone https://github.com/jpetazzo/namer 
$ cd namer 

$ ls -1 

company name generator.rb 

config.ru 

docker-compose.yml 

Dockerfile 

Gemfile 
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Where's my code? 
According to the Dockerfile, the code is copied into /Src : 


FROM ruby 
MAINTAINER Education Team at Docker <education@docker.com> 


COPY . /src 
WORKDIR /src 
RUN bundler install 


CMD ["rackup", "--host", "0.0.0.0"] 
EXPOSE 9292 


We want to make changes inside the container without rebuilding it each time. 


For that, we will use a volume. 
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Our first volume 
We will tell Docker to map the current directory to /S rc in the container. 


$ docker run -d -v $(pwd):/src -p 80:9292 jpetazzo/namer 


- The -d flag indicates that the container should run in detached mode (in the 
background). 


- The -v flag provides volume mounting inside containers. 
- The -p flag maps port 9292 inside the container to port 80 on the host. 
e jpetazzo/namer is the name of the image we will run. 


- We don't need to give a command to run because the Dockerfile already 
specifies rackup. 
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Mounting volumes inside containers 


The -v flag mounts a directory from your host into your Docker container. The flag 
structure is: 


[host-path] :[container-path]:[rw]|ro] 


- If [host-path] or [container-path] doesn't exist it is created. 
. You can control the write status of the volume with the ro and rw options. 


- If you don't specify rw or ro, it will be rw by default. 


There will be a full chapter about volumes! 
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Testing the development container 


Now let us see if our new container is running. 


$ docker ps 
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 
045885b68bc5 trai... rackup 3 seconds ago Up ... 0.0.0.0:80->9292/tcp ... 
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Viewing our application 
Now let's browse to our web application on: 


http: //<yourHostIP>:80 


We can see our company naming application. 


& CG fi [© 107.23.94.209 


Jast-Schiller 


unleash customized web-readiness 
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Making a change to our application 
Our customer really doesn't like the color of our text. Let's change it. 


$ vi company name generator.rb 


And change 


color: royalblue, 


To: 


color: red; 
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Refreshing our application 
Now let's refresh our browser: 


http: //<yourHostIP>: 80 
We can see the updated color of our company naming application. 


€ C fi |) 107.23.94.209 


Hansen-Koch 
streamline B2B infomediaries 
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Improving the workflow with Compose 
You can also start the container with the following command: 


$ docker-compose up -d 


This works thanks to the Compose file, docker -compose . yml: 
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Why Compose? 
e Specifying all those "docleer run" parameters is tedious. 
- And error-prone. 
e We can "encode" those parameters in a "Compose file." 


+ When you see a docker-compose. yml file, you know that you can use 
docker-compose up. 


- Compose can also deal with complex, multi-container apps. 
(More on this later.) 
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Workflow explained 
We can see a simple workflow: 


1. Build an image containing our development environment. 
(Rails, Django...) 


2. Start a container from that image. 
Use the -v flag to mount source code inside the container. 


3. Edit source code outside the containers, using regular tools. 
(vim, emacs, textmate...) 


4. Test application. 
(Some frameworks pick up changes automatically. 
Others require you to Ctrl-C + restart after each modification.) 


5. Repeat last two steps until satisfied. 


6. When done, commit+push source code changes. 
(You are using version control, right?) 
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Debugging inside the container 
In 1.3, Docker introduced a feature called docker exec. 
It allows users to run a new process in a container which is already running. 


If sometimes you find yourself wishing you could SSH into a container: you can use 
docker exec instead. 


You can get a shell prompt inside an existing container this way, or run an arbitrary 
process for automation. 
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docker exec example 


$ # You can run ruby commands in the area the app is running and more! 
$ docker exec -it <yourContainerId> bash 
root@5ca2/7cf74c2e:/opt/namer# irb 

irb(main):001:0> [0, 1, 2, 3, 4].map {|x| x ** 2}.compact 

=> [0, 1, 4, 9, 16] 

irb(main) :002:0> exit 
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Stopping the container 
Now that we're done let's stop our container. 


$ docker stop <yourContainerID> 


And remove it. 


$ docker rm syourContainerID: 
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Section summary 


We've learned how to: 


e Share code between container and host. 
. Set our working directory. 


+ Use a simple local development workflow. 
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Lesson 20: Working with Volumes 
Objectives 


At the end of this lesson, you will be able to: 


Create containers holding volumes. 
Share volumes across containers. 


Share a host directory with one or many containers. 
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Working with Volumes 


Docker volumes can be used to achieve many things, including: 


- Bypassing the copy-on-write system to obtain native disk 1/0 performance. 
e Bypassing copy-on-write to leave some files out of docker commit. 

- Sharing a directory between multiple containers. 

e Sharing a directory between the host and a container. 


- Sharing a single file between the host and a container. 
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Volumes are special directories in a container 


Volumes can be declared in two different ways. 
Within a Docker file, with a VOLUME instruction. 


VOLUME /uploads 


On the command-line, with the -v flag for docker run. 


$ docker run -d -v /uploads myapp 


In both cases, /up Loads (inside the container) will be a volume. 
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Volumes bypass the copy-on-write system 


Volumes act as passthroughs to the host filesystem. 


The I/O performance on a volume is exactly the same as I/O performance on 
the Docker host. 


When you docker commit, the content of volumes is not brought into the 
resulting image. 


If a RUN instruction in a Dockerfile changes the content of a volume, those 
changes are not recorded neither. 


If a container is started with the - - read -on Ly flag, the volume will still be 
writable (unless the volume is a read-only volume). 
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Volumes can be shared across containers 
You can start a container with exactly the same volumes as another one. 
The new container will have the same volumes, in the same directories. 
They will contain exactly the same thing, and remain in sync. 
Under the hood, they are actually the same directories on the host anyway. 
This is done using the - -vo Lumes - from flag for docker run. 


$ docker run -it --name alpha -v /var/log ubuntu bash 
root@99020f87e695:/# date >/var/log/now 


In another terminal, let's start another container with the same volume. 


$ docker run --volumes-from alpha ubuntu cat /var/log/now 
Fri May 30 05:06:27 UTC 2014 
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Volumes exist independently of containers 


If a container is stopped, its volumes still exist and are available. 
Since Docker 1.9, we can see all existing volumes and manipulate them: 


$ docker volume ls 
R 


DRIVE VOLUME NAME 
local 5b0b65e4316da67c2d471086640e6005ca2264f3... 
local pgdata-prod 
local pgdata-dev 
local 13b59c9936d78d109d094693446e174e5480d973... 


Some of those volume names were explicit (pgdata-prod, pgdata-dev). 


The others (the hex IDs) were generated automatically by Docker. 
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Data containers (before Engine 1.9) 


A data container is a container created for the sole purpose of referencing one (or many) 
volumes. 


It is typically created with a no-op command: 


$ docker run --name files -v /var/www busybox true 
$ docker run --name logs -v /var/log busybox true 


+ We created two data containers. 
- They are using the busybox image, a tiny image. 
+ Weused the command true, possibly the simplest command in the world! 


e Wenamed each container to reference them easily later. 
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Using data containers 


Data containers are used by other containers thanks to - -vo Lumes - from. 
Consider the following (fictitious) example, using the previously created volumes: 


$ docker run -d --volumes-from files --volumes-from logs webserver 
$ docker run -d --volumes-from files ftpserver 
$ docker run -d --volumes-from logs lumberjack 


- The first container runs a webserver, serving content from / var/www and 
logging to /var/ log. 


e The second container runs a FTP server, allowing to upload content to the same 
/var/www path. 


e The third container collects the logs, and sends them to logstash, a log storage 
and analysis system, using the lumberjack protocol. 
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Named volumes (since Engine 1.9) 


+ We can now create and manipulate volumes as first-class concepts. 


+ Volumes can be created without a container, then used in multiple containers. 


Let's create a volume directly. 


$ docker volume create --name=website 
website 


Volumes are not anchored to a specific path. 
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Using our named volumes 


- Volumes are used with the -v option. 


+ When a host path does not contain a /, it is considered to be a volume name. 


Let's start a web server using the two previous volumes. 


$ docker run -d -p 8888:80 \ 
-v website:/usr/share/nginx/html \ 
-v logs:/var/log/nginx \ 
nginx 


Check that it's running correctly: 


$ curl localhost:8888 
<!DOCTYPE html> 


<hl>Welcome to nginx!</h1> 
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Using a volume in another container 


e We will make changes to the volume from another container. 


e In this example, we will run a text editor in the other container, but this could be 
a FTP server, a WebDAV server, a Git receiver... 


Let's start another container using the website volume. 


$ docker run -v website:/website -w /website -ti alpine vi index.html 


Make changes, save, and exit. 


Then run curl localhost: 8888 again to see your changes. 
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Managing volumes explicitly 


In some cases, you want a specific directory on the host to be mapped inside the 
container: 


- You want to manage storage and snapshots yourself. 
(With LVM, or a SAN, or ZFS, or anything else!) 


- You have a separate disk with better performance (SSD) or resiliency (EBS) than 
the system disk, and you want to put important data on that disk. 


e You want to share your source directory between your host (where the source 
gets edited) and the container (where it is compiled or executed). 


Wait, we already met the last use-case in our example development workflow! Nice. 


$ docker run -d -v /path/on/the/host:/path/in/container image ... 
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Sharing a directory between the host and a container 
The previous example would become something like this: 


$ mkdir -p /mnt/files /mnt/logs 

$ docker run -d -v /mnt/files:/var/www -v /mnt/logs:/var/log webserver 
$ docker run -d -v /mnt/files:/home/ftp ftpserver 

$ docker run -d -v /mnt/logs:/var/log lumberjack 


Note that the paths must be absolute. 


Those volumes can also be shared with - -volumes - f rom. 
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Migrating data with - -vo Lumes - from 


The - -vo Lumes - f rom option tells Docker to re-use all the volumes of an existing 
container. 


+ Scenario: migrating from Redis 2.8 to Redis 3.0. 
+ We have a container (my redis) running Redis 2.8. 
+ Stop the myredis container. 


. Start anew container, using the Redis 3.0 image, and the - - volumes - f rom 
option. 


e The new container will inherit the data of the old one. 


+ Newer containers can use - -volumes -f rom too. 
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Data migration in practice 
Let's create a Redis container. 
$ docker run -d --name redis28 redis:2.8 
Connect to the Redis container and set some data. 


$ docker run -ti --link redis28:redis alpine telnet redis 6379 


Issue the following commands: 


SET counter 42 
INFO server 
SAVE 

QUIT 


Docker Fundamentals d7590d1 324 © 2015 Docker Inc 


Working with Volumes 


Upgrading Redis 
Stop the Redis container. 


$ docker stop redis28 


Start the new Redis container. 


$ docker run -d --name redis30 --volumes-from redis28 redis:3.0 
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Testing the new Redis 
Connect to the Redis container and see our data. 


docker run -ti --link redis30:redis alpine telnet redis 6379 


Issue a few commands. 


GET counter 
INFO server 
QUIT 
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What happens when you remove containers with 
volumes? 


With Engine versions prior 1.9, volumes would be orphaned when the last 
container referencing them is destroyed. 


Orphaned volumes are not deleted, but you cannot access them. 
(Unless you do some serious archaeology in /var/lib/docker.) 


Since Engine 1.9, orphaned volumes can be listed with docker volume ls 
and mounted to containers with - v. 


Ultimately, you are the one responsible for logging, monitoring, and backup of your 
volumes. 
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Checking volumes defined by an image 
Wondering if an image has volumes? Just use docker inspect: 


$ # docker inspect training/datavol 
"config": { 
"Volumes": { 
"/var/webapp": {} 


r 


}] 
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Checking volumes used by a container 


To look which paths are actually volumes, and to what they are bound, use docker 
inspect (again): 


$ docker inspect <yourContainerID> 
"ID": "<yourContainerID>", 
| "Volumes: { 
ar/webapp": "/var/lib/docker/vfs/dir/ 
fa280c5b6207ed531efdacc673fF620cef2a7080f747dbbcca001db61de04468" 


}, 
"VoLumesRW" : 
"/var/webapp": true 


r 


}] 


+ We can see that our volume is present on the file system of the Docker host. 
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Sharing a single file between the host and a container 


The same - v flag can be used to share a single file. 
One of the most interesting examples is to share the Docker control socket. 


$ docker run -it -v /var/run/docker.sock:/var/run/docker.sock docker sh 


Warning: when using such mounts, the container gains root-like access to the host. It 
can potentially do bad things. 
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Volume plugins 


You can install plugins to manage volumes backed by particular storage systems, or 
providing extra features. For instance: 


e dvol - allows to commit/branch/rollback volumes; 


+ Flocker, REX-Ray - create and manage volumes backed by an enterprise storage 
system (e.g. SAN or NAS), or by cloud block stores (e.g. EBS); 


e Blockbridge, Portworx - provide distributed block store for containers; 


e and much more! 
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Section summary 


We've learned how to: 


+ Create and manage volumes. 
e Share volumes across containers. 


- Share a host directory with one or many containers. 


Docker Fundamentals d7590d1 332 © 2015 Docker Inc 


Compose For Development Stacks 


Compose For Development Stacks 
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Lesson 21: Using Docker Compose for Development 
Stacks 


Objectives 


Dockerfiles are great to build a single container. 


But when you want to start a complex stack made of multiple containers, you need a 
different tool. This tool is Docker Compose. 


In this lesson, you will use Compose to bootstrap a development environment. 
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What is Docker Compose? 


Docker Compose (formerly known as fig) is an external tool. It is optional (you do not 
need Compose to run Docker and containers) but we recommend it highly! 


The general idea of Compose is to enable a very simple, powerful onboarding workflow: 


1. Clone your code. 
2. Rundocker-compose up. 
3. Your app is up and running! 
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Compose overview 


This is how you work with Compose: 


¢ You describe a set (or stack) of containers in a YAML file called docker- 
compose. yml. 


e Yourundocker-compose up. 

+ Compose automatically pulls images, builds containers, and starts them. 
+ Compose can set up links, volumes, and other Docker options for you. 

- Compose can run the containers in the background, or in the foreground. 


e When containers are running in the foreground, their aggregated output is 
shown. 


Before diving in, let's see a small example of Compose in action. 
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Compose in action 
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Checking if Compose is installed 


If you are using the official training virtual machines, Compose has been pre-installed. 
You can always check that it is installed by running: 


$ docker-compose --version 
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Installing Compose 


If you want to install Compose on your machine, there are (at least) two methods. 


Compose is written in Python. If you have pip and use it to manage other Python 
packages, you can install compose with: 


$ sudo pip install docker-compose 


(Note: if you are familiar with vi rtua lenv, you can also use it to install Compose.) 


If you do not have pip, or do not want to use it to install Compose, you can also 
retrieve an all-in-one binary file: 


$ curl -L \ 
https://github.com/docker/compose/releases/download/1.8.0/docker-compose- ‘uname 
-S - Uuname -m 
> /usr/local/bin/docker-compose 
$ chmod +x /usr/local/bin/docker-compose 
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Launching Our First Stack with Compose 


First step: clone the source code for the app we will be working on. 


$ cd 
$ git clone git://github.com/jpetazzo/trainingwheels 


$ cd trainingwheels 
Second step: start your app. 
$ docker-compose up 


Watch Compose build and run your app with the correct parameters, including linking 
the relevant containers together. 
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Launching Our First Stack with Compose 
Verify that the app is running at http: //<yourHostIP>: 8000. 


Training wheels 


This request was served by 5457fb09c174. 


5457fb09c174 served 1 request so far. 


The current ladder is: 
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Stopping the app 
When you hit ^C, Compose tries to gracefully terminate all of the containers. 


After ten seconds (or if you press ^C again) it will forcibly kill them. 
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The docRer - compose. yml file 
Here is the file used in the demo: 


version: "2" 


services: 
WWW: 
build: www 


ports: 

- 8000:5000 
user: nobody 
environment: 

UG: 1 

command: python counter.py 
volumes: 

- ./www:/src 


redis: 
image: redis 
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Compose file versions 


Version 1 directly has the various containers (www, redis...) at the top level of the file. 


Version 2 has multiple sections: 


e version is mandatory and should be "2". 


e Services is mandatory and corresponds to the content of the version 1 
format. 


e networks is optional and can define multiple networks on which containers 
can be placed. 


e volumes is optional and can define volumes to be used (and potentially 
shared) by the containers. 
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Containers in docRer - compose. ymt 


Each service in the YAML file must contain either build, or image. 


e build indicates a path containing a Dockerfile. 


e image indicates an image name (local, or on a registry). 


The other parameters are optional. 
They encode the parameters that you would typically add to docker run. 


Sometimes they have several minor improvements. 
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Container parameters 


«e command indicates what to run (like CMD in a Dockerfile). 


- ports translates to one (or multiple) - p options to map ports. 


You can specify local ports (i.e. X : y to expose public port x). 


e volumes translates to one (or multiple) - v options. 
You can use relative paths here. 


For the full list, check http://docs.docker.com/compose/yml/. 
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Compose commands 


We already saw docRer - compose up, but another one is docker-compose 
build. It willexecute docker build for all containers mentioning a build path. 


It is common to execute the build and run steps in sequence: 


docker-compose build && docker-compose up 


Another common option is to start containers in the background: 


docker-compose up -d 
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Check container status 


It can be tedious to check the status of your containers with docker ps, especially 
when running multiple apps at the same time. 


Compose makes it easier; with docker-compose ps you will see only the status of 
the containers of the current stack: 


$ docker-compose ps 


Name Command State Ports 
trainingwheels redis 1 /entrypoint.sh red Up 6379/tcp 
trainingwheels www 1 python counter.py Up 0.0.0.0:8000->5000/tcp 
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Cleaning up 


If you have started your application in the background with Compose and want to stop 
it easily, you can use the k1 Ll command: 


$ docker-compose kill 
Likewise, docker -compose rm will let you remove containers (after confirmation): 


$ docker-compose rm 

Going to remove trainingwheels redis 1, trainingwheels www 1 
Are you sure? [yN] y 

Removing trainingwheels redis 1... 

Removing trainingwheels www_l... 


Alternatively, docker-compose down will stop and remove containers. 


$ docker-compose down 


Stopping trainingwheels www 1 ... done 
Stopping trainingwheels redis 1 ... done 
Removing trainingwheels www 1 ... done 
Removing trainingwheels redis 1 ... done 
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Special handling of volumes 


Compose is smart. If your container uses volumes, when you restart your application, 
Compose will create a new container, but carefully re-use the volumes it was using 
previously. 


This makes it easy to upgrade a stateful service, by pulling its new image and just 
restarting your stack with Compose. 
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Course Conclusion 
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Course Conclusion 


Course Summary 


During this class, we: 


e Installed Docker. 
e Launched our first container. 
+ Learned about images. 


+ Gotan understanding about how to manage connectivity and data in Docker 
containers. 


+ Learned how to integrate Docker into your daily workflow. 
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Questions 8: Next Steps 


Still Learning: 


Docker homepage - http://www.docker.com/ 

Docker Hub - https://hub.docker.com 

Docker blog - http://blog.docker.com/ 

Docker documentation - http://docs.docker.com/ 

Docker Getting Started Guide - http://www.docker.com/gettingstarted/ 
Docker code on GitHub - https://github.com/docker/docker 

Docker mailing list - https://groups.google.com/forum/#lforum/docker-user 


Docker on IRC: irc.freenode.net and channels #docker and #docker-dev 


Docker on Twitter - http://twitter.com/docker 


Get Docker help on Stack Overflow - http://stackoverflow.com/ 
search?q=docker 
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Thank You 


ds: docker 
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